They are probably using session information to identify and correlate a visitor's visit. A valid login exchange sets the session information, probably using the cookie, and depends on that info to verify the visitor is really logged in.

You can post your fake URL with the login u/p, but the real login form won't have been processed, and no session is set, therefore you did not really log in, and are not considered a valid user when the cookie containing the session data is not found.

BTW: Any requests for help using a local process to access someone else's site (as this obviously is) sounds fishy (pardon the pun). You probably should not be doing this, especially since the remote site seems to be particular about who it lets into the areas you want to access.

Why don't you get yourself a valid account at the remote site, and then use real login info with a real login process? If this is unavailable to you, you can assume that the remote site does NOT want someone doing what you are trying to do, making it illegal under US Federal law to attempt to do it.

Thanks StupidScript for the quick response. However, I do have u/p for the site hence my ability figure out the cookies. I had a script written to help me streamline the work I alreday do at the site - so I'm not actually trying to access something I'm not supposed...I already have access to it but want to automate some manual tasks.

With that said, I would like to clarify that when I manually browse through the site, I login through the login page and the first page I access is Page 1. This page is accessible through the script as it doesnt seem to need the cookies to access it. However, when I tried to get the script to access the other pages (which I have access to when browsing manually) I oculd not. So I would like to know what the URL woudl look like with the appended info - any guidance?

What does it look like when you log in normally and then go to Page 2?

The url doesnt show any signs of session info.
I go to the log in page and click submit. I'm taken to page1.cfm which I can access without cookies.

On page1.cfm there is a link to /page2.cfm and /page3.cfm

The links are normal href="http://www.site.com" style

However, I did notice that on page2.cfm there was a new cookie introduced...a SaneID with my IP logged

But that would not explain why the page3.cfm could not be accessed except that the pages are looking at the refrring url's (and or session info).

Hope that was enough info...let me know if you need more

I'm going with

the real login form won't have been processed, and no session is set

From what you've said, it sounds like you need a session to proceed, regardless of the cookies. Unless you go through the login form properly, there is no session being set, and you are kept from going to interior pages.

For a PHP-related example, let's say you set up a login page something like:

<?php

if (is_set($_SESSION["userid"])) {

# Session is in-progress, proceed

header("Location: loggedin.php");

}

elseif ($GET["userid"]) {

# Logging in ...

[process login]

# Start session

session_start();

[rest of session establishment stuff]

# Proceed

header("Location: loggedin.php");

}

else {

# No logging in, no session, so print login form

print("<form method=get>\n");

print("<input type='text' name='userid'>\n");

print("<input type='password' name='upwd'>\n");

print("</form>\n");

}

?>

On each page thereafter:

<?php

if (!is_set($_SESSION["userid"])) {

# Session is not set, so send 'em back to the beginning

header("Location: index.php");

}

?>

You almost undoubtedly need a valid session to continue after the "loggedin" page.

<edit>It's even probable that the session info is included with the login form. That would explain why, when you use your script to login, it lets you to the follow-up page, but misses the session data and kicks you after that. Sessions (using 32-character randomized strings for ID) are stored on the server as they are created, and checking the current session against the active established sessions on the server reveals that a real login has not actually taken place.</edit>

Woah...thanks for that script sample! You have really helped me udnerstand the situation much more clearly.

Now, my big questions is...can a script emulate a surfer and have a session 'assigned' so that the pages that look for the session info would accept the script? For example, what if I were browsing the site from a linux computer...would the cookies/session be stored?

hey there...wondering if anyone can assist me further with the last question....can a script get/post session information so that it can access pages of a site that are cookie protected?

Thanks