Why won't this Ruby/Mechanize HTTP POST work? (the Bank's web server gives Session Timeout response

Rails
1

Hi,

A question for the web/http guru’s out there if I may (who understand
cookies, sessions ids, etc).

BACKGROUND:

I’m writing some Ruby code (using Mechanize) to automate logging into
my bank account to check the balance. The first step after I
successfully log and click on a button am getting “You Session Has
Ended”! I’ve simulated using the bank account on my browser manually
without Javascript enabled so this shouldn’t be an issue (I note that
someone posted Mechanize doesn’t support javascript). I’m wondering
what it could possibly be & what tools/approach I could you to prove
the request from Ruby/Mechanize exactly matches the succesful post
that occurs when I log in through my browser.

QUESTIONS:

Q1 - Based on the below can someone see why I am getting a “You
Session Has Ended”? (e.g. it it something to do with
SessionId/cookies/full post paremeters being in place). Some ideas,
however not sure if they are significant:
(a) I had to do some work arounds as Mechanize didn’t seem to be
creating a valid URI re the first part of the URL, hence I hand
modified it. I think it should be OK? It the line in the code
“continue_form.action = “https://banking2.anz.com/IBAU/” +
continue_form.action”
(b) The form itself (see below) actually doesn’t have a SUBMIT button
but has a "INPUT TYPE=“Image” tag. Mechanize doesn’t seem to pick
this up, but when I do mechanize “submit” via the code “page =
agent.submit(continue_form)” it still seems to initiate a POST to the
server, albeit the response that comes back says the session has
expired. I note there are some missing parameters in the browser
trace versus the Ruby/Mechanize trace (see below), but would this
cause a “session is no longer valid”? (I tried to manually add fields
to compensate into the form via the code
“continue_form.add_field!(“Action.RetUser.SignonOK”,“Proceed to
Internet Banking”)” however it didn’t seem to trigger them to be
included)

Q2 - What tool can I use on both the Browser & my Ruby/Mechanize code
to compare the exact POSTs and see where the differences are? I can
do Live HTTP Headers in firefox for the browser test (which works),
but in Ruby/Mechanize I think I’m stuck with it’s logging. I can’t
run WireShark as the traffic is HTTPS and encrypted. Any ideas?

Q3 - If the exact issues isn’t obvious any suggestions/ideas re what to
try?

FURTHER BACKGROUND:

  • Successful Trace - manually via browser - using HTTP Live Headers
    plugin for Firefox (I’ve shorted session key for succintness)
    POST /IBAU/BANKAWAYTRAN;jsessionid=xxx
    Action.RetUser.SignonOK.x=39&Action.RetUser.SignonOK.y=12&Action.RetUser.SignonOK=Proceed+to+Internet+Banking

  • Unsuccessful Trace - i.e. What I see in the Ruby/Mechanize log file
    Net::HTTP::Post: /IBAU/BANKAWAYTRAN;jsessionid=xxx

  • Guts of the Form I’m simulating the response for:

  • My Ruby/Mechanize Code

require ‘rubygems’
require ‘mechanize’
require ‘mechanize_extns/form_extn.rb’
require ‘logger’

agent = WWW::Mechanize.new{|a| a.log = Logger.new(STDERR) }

Step 1 - Navigate to Login Page

page = agent.get(‘Login - ANZ Internet Banking’)
if !page.forms[1] || (page.forms[1].name != “loginForm”)
puts “ERROR: At login form validation failed”
exit
end

Step 2 - Login

login_form = page.forms[1]
login_form.CorporateSignonCorpId = “xxxx”
login_form.CorporateSignonPassword = “yyyy”
page = agent.submit(login_form)
if !page.forms[0] || (page.forms[0].name != “securityForm”)
puts “ERROR: At clicking on continue button after login”
exit
end

Step 3 - Click Continue to Main Page (** WHERE ISSUE OCCURS **)

continue_form = page.forms[0]

work around 1 - the bank’s input tage of type image does not seem to

get handled, so add a button in
continue_form.add_field!(“Action.RetUser.SignonOK”,“Proceed to
Internet Banking”) # Don’t see effect of this in log trace?
continue_form.add_field!(“Action.RetUser.SignonOK.x”,“23”)
# Don’t see effect of this in log trace?
continue_form.add_field!(“Action.RetUser.SignonOK.y”,“7”)
# Don’t see effect of this in log trace?

work around 2 - the relative URI in the bank form’s action does not

seem to get handled, so add the front part on
continue_form.action = “https://banking2.anz.com/IBAU/” +
continue_form.action
page = agent.submit(continue_form)
if !page.forms[1] || (page.forms[1].name != “formAll1”)
puts “ERROR: At clicking on continue button after login
==================================” # <== FAILED HERE WITH SESSION
ENDED IN REPONSE
puts page.content
puts “ERROR: At clicking on continue button after login
==================================”
exit
end

Step Final - Logout

puts “Completed!”

Any other info that would help you out helping me out?

thanks