I am working on an old classic asp site that uses vbscript for the server code and HTML and JavaScript for the client end. I am communicating with an external server which handles the credit card payment details.
I have found loads of answers for getting the response from a POST to the server (both from the client using JavaScript and from our own website server using vbscript). However what I am failing to find is how to respond from my server to an POST made from the credit card gateway server.
The sequence goes something like this:
I post all the transaction details to the gateway server
They immediately respond with a success status, a security key, a transaction ID, and a URL to which I must immediately redirect.
They then send a 'notification' post to a URL, that I gave in the first post, with an MD5 hash made up from details of the transaction and, importantly, the security key. I must generate the same MD5 hash and check that it matches. This is obviously to confirm that the initial transaction has not been compromised in any way.
Having done the security check I am required to respond: "When we receive your response to our notification POST, we determine where to direct your customers browser based on your response Status:"
That last stage is the one I am struggling with. I'm sure it's something really simple and silly but I just can't find any information anywhere. I have found lots of stuff on HTTPResponse but that all seems to be getting the response from a POST that I have made (and I have used this in the earlier stages) whilst here I am wanting to generate a response to a POST I have received. Note this must all be done at my server end as the credit card gateway have the IP address of our server and will only accept these transactions from that IP address therefore none of this can be sent from the customer's browser.
Sorry if this is really dumb! I am a C++ developer not a web developer but, as is the way with these things, I am having to do this bit of web development!
What you are talking about here is a consumer (the Gateway server) sending a POST request to an endpoint on your web application, which you should handle just the same as if you were receiving a POST from a local request, the process is the same.
Here is a basic example;
<%
'Expect only POST data to this page
If UCase(Request.ServerVariables("REQUEST_METHOD") & "") = "POST" Then
'Craft your response
Call BuildResponse()
Else
'Anything other then a POST should be met with a 404 response.
Response.Status = "404 Not found"
End If
Call Response.End()
'Sub for crafting your response.
Sub BuildResponse()
'Do we have a form field of "somevalue" with a value of "yes"?
If LCase(Request.Form("somevalue") & "") = "yes" Then
Call Response.Write("Hello world - Valid")
Else
Call Response.Write("Hello world - Invalid")
End If
End Sub
%>
This is just a basic example that expects a form post parameter of "somevalue" with a value of "yes". Based on this it returns a conditional response.
Obviously, you will need to pad out the response based on your requirements but this should give you some idea of how to structure it.
Side-note: As you won't be the consumer yourself it might be an idea to output a text file or setup an email that reports the passed form parameters to help you debug what the consumer is POSTing to the page to help you work out how to handle the request and generate a valid response the consumer expects.
Useful Links
How to check form submission ASP classic
ASP - Printing the entire request contents
How to create a new text file with asp?
Related
I have a Jmeter script where during replay, Post request is displaying as Get request and the parameters in the request are not sent to the server. Due to this, correlations are failing at this request.
One of the parameters in the request is ViewState with so many characters. Is this large parameter value causing the above issue? How to proceed now?
Most probably you're sending a malformed request therefore instead of properly responding to a POST request you're being redirected somewhere (most probably to Login page)
Use View Results Tree listener in HTML or Browser mode to see what page you're hitting in the reality
With regards to the ViewState, "so many characters" is not a problem, the problem is that these are not random characters. ViewState is being used for client-side state management and if you fail to provide the proper value you won't be able to move further so you need to design your test as follows:
Open first page
Extract ViewState using a suitable Post-Processor
Open second page
here you need to pass viewstate from the step 1 along with other parameters
More information: ASP.NET Login Testing with JMeter
Also don't forget to add HTTP Cookie Manager to your Test Plan
What I'm able to understand is the request may be getting redirected. This happens usually when the server expects a unique request. If you recorded the request, you may be possibly using older headers that carry old cookie information. Check your headers and then reconstruct the request.
Make sure you are not using old cookies anywhere. remove that cookie part from HTTP Header Manager everywhere.
I am attempting to use the REST api of Jenkins. Jenkins requires a POST request to a URL to delete a job. This results in the following:
I tell my chosen Client to send a POST to the appropriate URL.
The client sends a POST and authorizes itself with username and password.
Jenkins deletes the job.
Jenkins returns a "302 - Found" with the location of folder containing the deleted job.
Client automatically sends a POST to the location.
Jenkins answers with "200 - OK" and the full HTML of the folder page.
This works just fine with Postman (unless I disable "Automatically follow redirects" of course).
Jersey however keeps running into a "404" at step 5 because I blocked anonymous users from viewing the folder in question. (Or a "403" if I blocked anonymous users altogether.)
Note that the authentication works in step 1 because the job has been deleted successfully!
I was under the impression that Jersey should use the given authentication for all requests concerning the client.
Is there a way to actually make this true? I really don't want to forbid redirects just to do every single redirect myself.
To clarify: The problem is that while Jersey follows the redirect, but fails to authenticate itself again, leading to the server rejecting the second request.
Code in question:
HttpAuthenticationFeature auth = HttpAuthenticationFeature.basicBuilder()
.credentials(username, token)
.build();
Client client = ClientBuilder.newBuilder()
.register(auth)
.build();
WebTarget deleteTarget = client.target("http://[Jenkins-IP]/job/RestTestingArea/job/testJob/doDelete")
Response response = deleteTarget.request()
.post(null);
EDIT: The "302-Found" only has 5 headers according to Postman: Date, X-Content-Type-Options ("nosniff"), Location, Content-Length (0) and Server. So neither any cookies nor any tokens that Postman might use and Jersey disregard.
Question loosely related to this one - if I were able to log the second request I might be able to understand what's happening behind the scenes.
EDIT2: I have also determined that the problem is clearly with the authentication. If I allow anonymous users to view the folder in question, the error disappears and the server answers with a 200.
I found the answer with the help of Paul Samsotha and Gautham.
TL;DR: This is intended behavior and you have to set the System property http.strictPostRedirect=true to make it work or perform the second request yourself.
As also described here, HttpURLConnection decided to not implement a redirect as it is defined in the HTTP standard but instead as many browsers implemented it (so in laymans terms, "Do it like everyone else instead of how it is supposed to work"). This leads to the following behavior:
Send POST to URL_1.
Server answers with a "302 - Found" and includes URL_2.
Send GET to URL_2, dropping all the headers.
Server answers with a "404 - Not Found" as the second request does not included correct authentication headers.
The "404" response is the one received by the code, as steps 2 and 3 are "hidden" by the underlying code.
By dropping all headers, the authentication fails. As Jersey uses this class by default, this lead to the behavior I was experiencing.
I have situation that if anyone send SMS to my virtual number(CallerID) the BurstSMS API will call my handler which get the response from query string and proceed further.
So, I want to know only that ,how and which things needed to integrate the BurstSMS API in my APS.NET application.
I couldn't find the information from the documentation of API site and as well as not any article on the google.
Thanks in advance.
This is what you need to do.
Log in to your account
Go to Messaging -> Keywords
Click Edit from the Actions column of the campaign you would like to receive responses for
In the form which pops up fill in the "Send Response to URL" field with a URL to a script on your server which can process the responses, e.g. www.clienturl.com/sms.php
Click Save
From then on we will forward all SMSes for that campaign to your script with an HTTP GET request. For example, if you send "Property 25" to your longcode, we will call
www.clienturl.com/sms.php?mobile=61430008230&response=Property+25
From that you can see the parameters we use.
You could also add other parameters your own reference such as the longcode or an internal client id by using a different URL in the "Send Response to URL" field, e.g.
www.clienturl.com/sms.php?longcode=61418499440&client=123
In which case we would send to you
www.clienturl.com/sms.php?longcode=61418499440&client=123&mobile=61430008230&response=Property+25
Source burstsms
I got an eccentric problem. I am trying to automate visiting a web site by using WebRequest and WebClient. I have observed all the post request header key-value pairs and posted data string in Firebug(request Header and Post tab). Then I simulated such request with WebRequest and put all the header parameter and posted data there. However when I do GetResponse() from this request instance, I always got an error page back that says some sessionID is short of.
Actually I have taken care to put previously(first step to open the Logon page) responded session cookie in the Header's cookie field for the request. And I can get the correct response back by simulating requesting the logon page(the 1st page), but cannot get through this authentication page. My post data is like userid=John&password=123456789&domain=highmark.And the authentication page request that carried out by browser succeeds every time.
Am I missing something in the request that may not be shown by firebug.If yes, can you give me some recommendation for the tools that may examine the entire request sent by browser.
I have solved this issue. The problem is I set the httpWebRequest instance's AllowAutoRedirect=true. Thus the effect is when I got the first response from the server, the httpWebRequest would continually to make another request asking for a different url that is replied in the response header's Location field.
The defect of HttpWebRequest class is when it is getting redirected, it does not include the Set-Cookies(Response's Header Field)'s cookies in the next request header, thus the server would deny such page request and may redirect again to another different page.
And the httpWebRequest.GetResponse() method only return the last responsed page back under the setting AllowAutoRedirect=true. And I got the totally different response than I expected.
Also in this solving process, I need to thank to a distinguish Http Traffic examining tool:IEInspector Http Analyzer(http://www.ieinspector.com/httpanalyzer/). The great feature of this tool is it can examine not only the http traffic from browser but also what your process's httpWebRequest made. And also it can display in text format the raw stream of those request and response. Although it is a commercial software, you can try it for 15 days. I am quite happy with what it tells me(in well-formed details) and I like to buy it as well.
Imagine you've got a form on a page, and you POST that form's data to the server in an AJAXian way, e.g. jQuery.post(). The server judges that the data is invalid because, say, the email address doesn't contain an '#' symbol.
I think that the spirit of HTTP says the server should return an "HTTP 400 Bad Request" status code with its response to indicate to the client that it couldn't process the request. The reason (data didn't validate) should be in the body of the response.
But I'm working in an ASP.NET MVC environment that has traditionally implemented "partial views"--HTML fragments sent as responses, meant to be substituted into the client's DOM when received from an AJAX request. In this paradigm, the server typically constructs an alternative version of the form, filled with the (invalid) submitted values and styled with red highlights and alerts indicating that the email address was invalid and should be corrected. The client substitutes that form into its DOM, and the user sees the problem.
This is a common enough pattern in MVC world, but I don't see anybody taking the care to set an appropriate HTTP status code. I can't figure out why.
Is it "okay" to include HTML markup in a non-HTTP-200 response so that the client can show a validation? I can't find anything that says it isn't.
Depends on the status code being returned and how you intend to use it, but generally you can.
If you know that the response could be parsed, send a json/xml document with the right mime type and informations inside. Else just send a human readable HTML content. In both cases obviously set the right HTTP status code.
I suppose it doesn't make sense to send HTML if a machine is getting the response.
But if what you're building has user interaction (e.g. via a browser), then sure.