When I go to the login page I get a special URL that changes every page request.
The form is pretty basic so it can be seen easily in the source code…
view-source:https://canfax.ca/(X(1)S(4jjhrfkrqaz45re5z10qngha))/Login.aspx?AspxAutoDetectCookieSupport=1
form tag:
<form name="aspnetForm" method="post" action="Login.aspx" onsubmit="javascript:return WebForm_OnSubmit();" id="aspnetForm">
That means it’s expecting the credentials to be sent via POST request to Login.aspx
and as there’s no URL path that makes it relative to the current path making it: https://canfax.ca/(X(1)S(4jjhrfkrqaz45re5z10qngha))/Login.aspx
^ but with the unique URL that the page loaded with.
Now you need the right value pairs which come from the form fields assuming JS isn’t changing anything. This is where things get awkward… there’s a bunch of hidden fields that get sent with the login/password.
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwULLTE1NzM1NzQ1MjMPZBYCZg9kFgJmD2QWAmYPZBYCAgMPZBYKAgUPDxYEHgRUZXh0BQdNZW1iZXJzHgdWaXNpYmxlaGRkAhMPDxYCHwFoZGQCFw8PFgQfAAUGTG9nb3V0HwFoZGQCGw9kFgICAw9kFgICAQ9kFgICCw8PFgIfAWdkZAIdDxYCHwAFgQc8ZGl2IGlkPSJmb290ZXIiPg0KICA8ZGl2IGNsYXNzPSJ3cmFwcGVyIj4NCiAgPHVsPg0KICAgICAgPGxpPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmNhbmZheC5jYS9TaXRlTWFwLmFzcHgiPlNpdGUgTWFwPC9hPjwvbGk+DQogICAgICA8bGk+PGEgaHJlZj0iaHR0cHM6Ly93d3cuY2FuZmF4LmNhL1ByaXZhY3kuYXNweCI+UHJpdmFjeTwvYT48L2xpPg0KICAgICAgPGxpPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmNhbmZheC5jYS9MZWdhbC5hc3B4Ij5MZWdhbDwvYT48L2xpPg0KICA8L3VsPgkNCiAgPHAgaWQ9ImNvcHlyaWdodCI+Q29weXJpZ2h0ICZjb3B5OyAyMDA4IENhbmZheCBDYW5hZGE8L3A+CQ0KICA8ZGl2IGNsYXNzPSJ2Y2FyZCI+DQogICAgPGRpdj4NCiAgICAgICAgPGEgaHJlZj0iaHR0cHM6Ly93d3cuY2FuZmF4LmNhL01haW4uYXNweCI+Q2FuZmF4PC9hPg0KICAgICAgICA8ZGl2IGNsYXNzPSJhZHIiPg0KICAgICAgICAgICAgPHNwYW4gY2xhc3M9ImV4dGVuZGVkLWFkZHJlc3MiPiMxODA8L3NwYW4+LCA8c3BhbiBjbGFzcz0ic3RyZWV0LWFkZHJlc3MiPjY4MTUgODxzdXA+dGg8L3N1cD4gU3RyZWV0IE5FPC9zcGFuPi4gPHNwYW4gY2xhc3M9ImxvY2FsaXR5Ij5DYWxnYXJ5PC9zcGFuPiwgPHNwYW4gY2xhc3M9InJlZ2lvbiI+QWxiZXJ0YTwvc3Bhbj4gPHNwYW4gY2xhc3M9InBvc3RhbC1jb2RlIj5UMkUgN0g3PC9zcGFuPjwvZGl2Pg0KICAgIDxkaXY+PHNwYW4gY2xhc3M9InRlbCI+PHNwYW4gY2xhc3M9InR5cGUiPlRlbDwvc3Bhbj46ICg0MDMpIDI3NS01MTEwPC9zcGFuPiA8c3BhbiBjbGFzcz0idGVsIj48c3BhbiBjbGFzcz0idHlwZSI+RmF4PC9zcGFuPjogKDQwMykgMjc1LTY5NDM8L3NwYW4+PC9zcGFuPjwvZGl2PjwvZGl2PgkNCiAgPC9kaXY+DQo8L2Rpdj5kZEfoqcyUizZFMBT3y93hHW+3Fa1H" />
<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="C2EE9ABB" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWBALCsJqsDQLfworUBALDyorRAgKzzeeyCpz6KqfbIK6XwsA3z83FApfQk3yI" />
<input name="ctl00$ctl00$ctl00$MainContent$SubContent$SubContent$userNameTextBox" type="text" id="ctl00_ctl00_ctl00_MainContent_SubContent_SubContent_userNameTextBox" style="width:150px;" />
<input name="ctl00$ctl00$ctl00$MainContent$SubContent$SubContent$passwordTextBox" type="password" id="ctl00_ctl00_ctl00_MainContent_SubContent_SubContent_passwordTextBox" style="width:150px;" />
<input type="submit" name="ctl00$ctl00$ctl00$MainContent$SubContent$SubContent$signInButton" value="Sign In" onclick="javascript:WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions("ctl00$ctl00$ctl00$MainContent$SubContent$SubContent$signInButton", "", true, "", "", false, false))" id="ctl00_ctl00_ctl00_MainContent_SubContent_SubContent_signInButton" class="add" />
__EVENTVALIDATION
for example may be a one-time code, a nonce for the day or something that can be used more than once. Best way to do this would be pulling those values out of the login page programatically to produce your curl
POST every time you want to login and curl
can also return the special url.
Confirming this against Chromium’s Network tab with a test submit, the curl request in it’s most basic form would look something like this where “USER” is your username, “PASS” is your password and the other values are relevant to the URL and field values of the most recent visit to the login page.
curl \
--user-agent 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36' \
-c cookie.txt \
-d '__EVENTTARGET:' \
-d '__EVENTARGUMENT:' \
-d '__VIEWSTATE:/wEPDwULLTE1NzM1NzQ1MjMPZBYCZg9kFgJmD2QWAmYPZBYCAgMPZBYKAgUPDxYEHgRUZXh0BQdNZW1iZXJzHgdWaXNpYmxlaGRkAhMPDxYCHwFoZGQCFw8PFgQfAAUGTG9nb3V0HwFoZGQCGw9kFgICAw9kFgICAQ9kFgICCw8PFgIfAWdkZAIdDxYCHwAFgQc8ZGl2IGlkPSJmb290ZXIiPg0KICA8ZGl2IGNsYXNzPSJ3cmFwcGVyIj4NCiAgPHVsPg0KICAgICAgPGxpPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmNhbmZheC5jYS9TaXRlTWFwLmFzcHgiPlNpdGUgTWFwPC9hPjwvbGk+DQogICAgICA8bGk+PGEgaHJlZj0iaHR0cHM6Ly93d3cuY2FuZmF4LmNhL1ByaXZhY3kuYXNweCI+UHJpdmFjeTwvYT48L2xpPg0KICAgICAgPGxpPjxhIGhyZWY9Imh0dHBzOi8vd3d3LmNhbmZheC5jYS9MZWdhbC5hc3B4Ij5MZWdhbDwvYT48L2xpPg0KICA8L3VsPgkNCiAgPHAgaWQ9ImNvcHlyaWdodCI+Q29weXJpZ2h0ICZjb3B5OyAyMDA4IENhbmZheCBDYW5hZGE8L3A+CQ0KICA8ZGl2IGNsYXNzPSJ2Y2FyZCI+DQogICAgPGRpdj4NCiAgICAgICAgPGEgaHJlZj0iaHR0cHM6Ly93d3cuY2FuZmF4LmNhL01haW4uYXNweCI+Q2FuZmF4PC9hPg0KICAgICAgICA8ZGl2IGNsYXNzPSJhZHIiPg0KICAgICAgICAgICAgPHNwYW4gY2xhc3M9ImV4dGVuZGVkLWFkZHJlc3MiPiMxODA8L3NwYW4+LCA8c3BhbiBjbGFzcz0ic3RyZWV0LWFkZHJlc3MiPjY4MTUgODxzdXA+dGg8L3N1cD4gU3RyZWV0IE5FPC9zcGFuPi4gPHNwYW4gY2xhc3M9ImxvY2FsaXR5Ij5DYWxnYXJ5PC9zcGFuPiwgPHNwYW4gY2xhc3M9InJlZ2lvbiI+QWxiZXJ0YTwvc3Bhbj4gPHNwYW4gY2xhc3M9InBvc3RhbC1jb2RlIj5UMkUgN0g3PC9zcGFuPjwvZGl2Pg0KICAgIDxkaXY+PHNwYW4gY2xhc3M9InRlbCI+PHNwYW4gY2xhc3M9InR5cGUiPlRlbDwvc3Bhbj46ICg0MDMpIDI3NS01MTEwPC9zcGFuPiA8c3BhbiBjbGFzcz0idGVsIj48c3BhbiBjbGFzcz0idHlwZSI+RmF4PC9zcGFuPjogKDQwMykgMjc1LTY5NDM8L3NwYW4+PC9zcGFuPjwvZGl2PjwvZGl2PgkNCiAgPC9kaXY+DQo8L2Rpdj5kZEfoqcyUizZFMBT3y93hHW+3Fa1H' \
-d '__VIEWSTATEGENERATOR:C2EE9ABB' \
-d '__EVENTVALIDATION:/wEWBAKE1KiUCQLfworUBALDyorRAgKzzeeyCmJgAbNjaT4NY0KjcXEpwVaroYMV' \
-d 'ctl00$ctl00$ctl00$MainContent$SubContent$SubContent$userNameTextBox:USER' \
-d 'ctl00$ctl00$ctl00$MainContent$SubContent$SubContent$passwordTextBox:PASS' \
-d 'ctl00$ctl00$ctl00$MainContent$SubContent$SubContent$signInButton:Sign In' \
https://canfax.ca/(X(1)S(4jjhrfkrqaz45re5z10qngha))/Login.aspx
I’m afraid this may take quite a bit of grind work to automate if the server cares about these values.