Home → Problems →

Re-login does not work when using AutoLogin Plugin

• Edit

Mike

08 Nov, 2013 09:52 PM

As far as I can tell, the re-login feature does not work with the AutoLogin plugin. It looks like the session manager only will attempt a re-login in the event that a login_sequence has been defined and that only gets set if using the proxy module.

I think all that would need to be done to make this feature work is to have the AutoLogin login define a login sequence during initialization. I was going to play with the proxy module to see what a valid login_sequence looks like and have the autologin module generate one, but I feel like this would take you about 1/10 the time.

Cheers

1. Support Staff 1 Posted by Tasos Laskos on 09 Nov, 2013 12:15 AM

   

   The session code is a bit tricky to understand at first but the autologin plugin does set a login sequence, albeit indirectly. It assigns the login form to the session manager and that form contains the required data.

   The proxy can't operate in the same way because it's the browser who finds and fills in the form, so it has to provide a deduced and then verified login sequence.

   Have you got any system messages that show the issue?

   • Edit

2. 2 Posted by Mike on 09 Nov, 2013 12:50 AM

   

   I added debug outputs to the following method in session.rb to show the values of @login_sequence and @login_check and @login_sequence was nil and @login_check was set.

   def can_login?
           @login_sequence && @login_check
   end
   

   • Edit

3. Support Staff 3 Posted by Tasos Laskos on 09 Nov, 2013 12:53 AM

   

   Ah, this should have been:

   def can_login?
       has_login_sequence? && @login_check
   end
   

   Well spotted!

   • Edit

4. 4 Posted by Mike on 09 Nov, 2013 01:28 AM

   

   I made the change in the latest nightlies and it progressed past the check but now there is a stacktrace (attached)

   • arachni.txt 26.9 KB
   • Edit

5. Support Staff 5 Posted by Tasos Laskos on 09 Nov, 2013 01:35 AM

   

   The login form could not be found at its original location.

   Best guess, the scanner didn't get logged out but instead ran into a page which didn't match the login check, thus, the login form could not be located (in order to refresh any nonces) as the session was still valid and probably got a redirection or something.

   If that's not the case then we'll need to take a closer look.

   • Edit

6. 6 Posted by Mike on 09 Nov, 2013 01:47 AM

   

   That makes sense -- I killed the session by restarting the application instead of just invalidating the session so maybe Arachni fetched the page and got a 503 and then freaked out...

   It would be nice if Arachni could handle the situation where the application crashes since this happens from time to time during the scan. Not sure the best way to handle that... Maybe give the login form a few tries to show up?

   • Edit

7. Support Staff 7 Posted by Tasos Laskos on 09 Nov, 2013 01:50 AM

   

   Oh yeah no doubt about that, it should have been more graceful. I'll take care of this after I sort out your other issue.

   • Edit

8. Support Staff 8 Posted by Tasos Laskos on 11 Nov, 2013 07:11 PM

   

   Fixed the error, you should be getting a friendly message now.

   • Edit

9. Tasos Laskos closed this discussion on 11 Nov, 2013 07:11 PM.

10. Mike re-opened this discussion on 11 Nov, 2013 07:22 PM

11. 9 Posted by Mike on 11 Nov, 2013 07:22 PM

    

    Okay I'll give it a shot -- I looked at the commit you made to fix it and it does not look like Arachni will attempt to retry the login in the event that the login form disappears. I put a temp fix in session.rb that looks like this from the latest nightly...

        def ensure_logged_in
            return if !can_login?
            return true if logged_in?
    
            print_bad 'The scanner has been logged out.'
            print_info 'Trying to re-login...'
    
            counter = 0
            max_attempts = 5
            begin
                login
            rescue ::Exception => e
                counter = counter + 1
                print_bad "The login method failed. Retry attempt #{counter}."
                sleep 5
                retry if (counter < max_attempts)
            end
    
            if !logged_in?
                print_bad 'Could not re-login.'
                false
            else
                print_ok 'Logged-in successfully.'
                true
            end
        end
    

    I didn't take the time to make it elegant and this code can definitely be improved... But retry functionality would be very nice to have for when the login form disappears. What do you think?

    • Edit

12. Support Staff 10 Posted by Tasos Laskos on 11 Nov, 2013 07:24 PM

    

    You're right I forgot about that, I'll have it ready in a jiffy.

    • Edit

13. Support Staff 11 Posted by Tasos Laskos on 11 Nov, 2013 08:59 PM

    

    Done: https://github.com/Arachni/arachni/commit/5f287076e8cd59f6882a77953...

    • Edit

14. Tasos Laskos closed this discussion on 11 Nov, 2013 08:59 PM.