Check-in 2 – HTTP sessions

due at 23:59 on   +20

In this checkin, you will use curl to manually log in to a session with a web server, make several requests to that server, and then log out.

The relevant URLs are:

  • https://cs120.liucs.net/session/login

    This URL should be accessed with a POST method. It expects two parameters: username (include your first and last name), and password. The correct password is always secret, but you may want to try other passwords to see what happens.

    Upon a successful login, the response will come back with a Set-Cookie of the form sk=8f90bcc2 (the sk= is always the same, and the rest is a random eight-character hexadecimal session key). There will be another Set-Cookie with a variable _SESSION but you should ignore that one.

    You can pass the sk session key in a cookie to both of the URLs below.

  • https://cs120.liucs.net/session

    This URL should be accessed with a GET method. If you are logged in, and you pass the session key (of the form sk=8f90bcc2) as a cookie, then this URL will log your visit, and tell you how many times you have visited: “Welcome back, Chris League, visit number 2 in this session.” Once it succeeds, you should repeat it several times, so you record at least 4 or 5 visits.

    If you are not passing a valid session key, it will say “403 Permission denied: Invalid session”, or if you are not passing any sk cookie at all, it will say “403 Permission denied: Please log in first.”

  • https://cs120.liucs.net/session/logout

    This URL can be accessed with either a GET or a POST. If you are logged in, and you pass the session key (of the form sk=8f90bcc2) as a cookie, then this URL will log you out, making that session key invalid in the future.

    After a successful logout, you should try the middle URL /session one more time. Rather than saying “Welcome back,” it should now say “Invalid session.”

You can verify your work by browsing the table of sessions at https://cs120.liucs.net/admin/session. Your name and session key will appear in the first two columns, and the number of visits recorded in that session is in the right-most column. Clicking on the session key will show each access that was part of the session. For full credit, your name should appear next to at least one key that has a closed timestamp and more than one visit.

Below, for your reference, are some reminders about curl options. The only options not in the HTTP notes are -b to pass cookie data and -X to specify the request method.

  • -v will show you the full conversation, including the response headers

  • -d "username=Chris+League" is how you pass data in a POST request

  • -b sk=8f90bcc2 will send a cookie along with your request

  • -X POST or -X GET let you specify the request method. The default is GET unless you are using -d (for POST) or -I (for HEAD).

  • -H "Accept-Language: es" can be used to specify other headers in your request. The server still supports the same languages as in the previous check-in. (It’s not necessary to use a different language for this assignment, but you can toy with it if you want.)

  • -H "Cookie: sk=8f90bcc2" is an alternative to using -b to specify a cookie in your request.