Web pages gets 302 Moved Temporarily on first request, First session request to web pages get redirected to login.html Options

[Yitzchok]

Is there a reason that on the first request to the login.htm page (or any other web page in the system even if you add your own page into the html folder) gets redirected with a 302 Moved Temporarily to the login.htm?

This happens on the first request of a new web session to the server and after that it all works fine for that session.

That problem for me is that I am trying to send a request with a query string attached to the url (that I use in the javascript of the page) but I must always click the link twice to get it to go to the right page (even if the request is to the login.html)


Is there anyway to get around this problem?


Thanks
Yitzchok

[pbxnsip]

Yes, this is a known problem. We are thinking about a way so that you can automatically authenticate without the need to go through a login form. I am thinking about something like http://pbx/auto.htm?page=reg_settings.htm&...e&form2=123

[Yitzchok]

"http://pbx/auto.htm?page=reg_settings.htm&form1=save&form2=123

That will work as long as I am willing to put the password in the query-string (html PUT) unencrypted and un-encoded.

Another option I think can work, is not redirecting just the page auto.htm (but a request to that page should create new session even if he had one before) and I can add a auto.htm page in the html folder and post the login form on that page using javascript so the user kind of gets logged in automatically.

The best and most secure option (so that we don't have to expose the users password admin/other) would be to have some encryption key in the pbx (that is not exposed in the admin web ui but only in the bpx.xml file (or another file that wont get exported with the configuration export for extra security) since there can only be one admin user and this shouldn't be exposed to all admin users). So to auto login the user from a custom application I can send the user to a url with something like this http://pbx/auto.htm?auth=RW543tfw45tads54G...eg_settings.htm (auth might have to be url encoded)

The auth filed will be an encrypted string that has in it the password and an expiration time or even better the time the key was generated (and maybe also the users IP address) this will allow the user to login without exposing the password to the user and to hackers, and will make this auth key worthless after a few minutes from anywhere and non accessible from other ip's right away.

(To make things more complicated and secure you can use public/private key encryption but I don't know if this is necessary)


Thanks,
Yitzchok

[pbxnsip]

No matter what, you will always have to expose the password this way or another. If you want to keep it safe, you can still use https transport layer.

Actually, the point here is to have a simple way to automatically set something through the web interface of the PBX. I believe the following will do the job:

CODE

curl 'http://10.10.10.3/post.htm?user=admin&pass=password&file=reg_settings.htm&save=save&inband_decoding=true'

In this example, you go to the web page reg_settings.htm and set the setting "inband_decoding" to "true".

In order to set something in a domain, you muse include the domain in the style "domain=abc.com". If you want to set something for an account, then you should include the parameter in the style "account=40". For example:

CODE

curl 'http://10.10.10.3/post.htm?user=admin&pass=password&file=dom_ext.htm&editaccount=save&domain=localhost&account=40&call_redial=123456'

This feature will be available in the next head build.

[Yitzchok]

What you posted is an option but not one that will really work for us since I don't want to expose the users password as clear text in the url even if I use ssl because I don't want the password to show up in the url in clear text in any case, a person looking over my shoulder can see it.

If you use Public/Private key encryption then it is not possible to get the password from the info passed to the browser except if the person has the private key. I would love to see this but it is probably complicated to implement. You can contact me if you want more info on this.


What about also adding a page where the request doesn't get redirected to the login page so I can add the page to the html folder and use javascript to login the person.


For now I am not interested in changing settings in the PBX using URL's that should be implemented using REST or SOAP.

Thanks

[pbxnsip]

Certificate-based authentication is next. Then you can just import the public key into the account and the PBX will trust it and skip the authentication.

[Yitzchok]

Certificate-based authentication is next. Then you can just import the public key into the account and the PBX will trust it and skip the authentication.

That I think will do.

Thanks