Auto - Login - Token Expirated

I try to make an auto login.
But when I post username & password in this URL http://xibo.sample/index.php?q=login, I have an error like “expirated form”.
I see there is a token.
Is it possible to desactivate this token or is there any solution to consider ?

Thanks for your response.

I have done that with php.

define(URL, 'http://DOMAIN/');
define(USER, 'USER');
define(PASS, 'PASSWORD');

libxml_use_internal_errors(true);

include "lib/Snoopy-2.0.0/Snoopy.class.php";

$sn = new Snoopy;

$sn->agent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)";

$sn->fetchform(URL);

foreach (qp($sn->results, 'input[name="token"]') as $item) {
  $tokens[] = $item->attr('value');
}

$submit_url = URL . 'index.php?q=login&referingPage=';

$submit_vars["token"] = $tokens;
$submit_vars["username"] = USER;
$submit_vars["password"] = PASS;

$sn->setcookies();

$sn->submit($submit_url,$submit_vars);

print($sn->results);

important fix:
snoopy line 941
//$postdata .= urlencode($key) . “[]=” . urlencode($cur_val) . “&”;
$postdata .= urlencode($key) . “=” . urlencode($cur_val) . “&”;

The tokens are there to avoid cross site scripting and replay attacks. Disabling them is a really bad idea.

Really really bad idea!

That is also a really bad idea…

The username and password should never be stored once they are entered just the once for login. Auto-login usually functions similar to a “remember me” script where the user has logged in manually once and from then onwards a stored nonce is used to authenticate them. Not something Xibo supports at the moment, but something that could be done with a little thought.

If you must do what you suggest then I would do so by providing a new method “autoLogin” which didn’t check the form token… but really don’t do this :smile: