Is this illegal?

Shioni · 11-21-2006, 04:49 PM

Hi!
We have a website, that has two parts, one is the actual site where all the products are listed, other is our shopping cart witch is provided to us by big company and is actualy on their servers.

All the user account information is stored on the shopping cart server.

We want to make our 'product list' site dynamic, so that user can login etc.. but our shopping cart company refuses to give us user account information, so thats why we can't actualy check if username / password is valid!

I got an idea. When user logs in into our site, the login information will be passed to my application, that tries to log in, into shopping cart (just an regular HTTP POST), and returns me if login was successfull or no. If the login was successfull, then I create a session and user is logged into our site.
That is the only way, that I can think of, to check if login is successfull/invalid.

Is this illegal? Can this be "theaf of bandwith", or something else? I'm living in Maryland. Thank you!

tuxdev · 11-21-2006, 05:01 PM

I suggest that if you can, drop the big company. If you can actually do this, drop them anyway for security reasons.

rednuht · 11-21-2006, 05:14 PM

Are you saying that instead of logging into the big companys website directly from a login form shown on your site you are going to setup a form that looks like that login but submits to your site which then forwards the request onto big company ?
It might be considered fraud if you did not make it clear you were acting as a middle man.

Shioni · 11-22-2006, 12:12 PM

Quote:

Originally Posted by rednuht

Are you saying that instead of logging into the big companys website directly from a login form shown on your site you are going to setup a form that looks like that login but submits to your site which then forwards the request onto big company ?
It might be considered fraud if you did not make it clear you were acting as a middle man.

*We will have a login form in our site.
*When user enters username/password, thous two variables are passed to C Socket client, that acts as an browser, and sends out HTTP POST:

Code:

POST /login.asp HTTP/1.1
Host: ourshoppingcart.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ourshoppingcart.com/login.asp
Content-Type: application/x-www-form-urlencoded
Content-Length: 50

USER=SOME_USERNAME&PASS=SOME_PASSWORD&Submit=Login

SOME_USERNAME and SOME_PASSWORD is variables, witch user entered into our login form. My application acts like a browser and tries to login into the shopping cart using username and password, provided by user from our loggin form.

*My application waits for reply:
if loggin is successfull return 0
else return -1

*I check the return value with php:
if loggin is successfull, I create a PHP session for the user
if loggin was now successful, error is returned.

Basicly, I'm using my their loggin form to test if username/password exists, because I don't have an access to their database.

rednuht · 11-23-2006, 10:29 AM

I hope it is using https, but apart from that I can not see anything wrong with doing that, unless the terms of use of the big company forbid it

b0uncer · 11-23-2006, 10:39 AM

A shopping cart isn't that big thing to create, my advice is that you should spend some time and create one of your own. This way you could handle the site overall better, including security measures. And not have a 3rd party to depend on.