What does action=/logn and value=^U mean in the following code?

**Elbee** · 05-17-2013, 01:20 PM

Hello,

I was given the following code to post:

Code:

<form action=/login method=post>
<input type=hidden value=^U name=url>
<strong>Library Card Number:</strong>
<input name=user><br /><br />
<span style=margin-left:112px"><strong>PIN:</strong></span>
<input type=password name=pass><br /><br />
<input type=submit value=Login>
</form>

I have never used the <form> code without quotatons marks around areas such as action="/login"
Also, I have never seen the slash used as it is action=/login
I think the value=^U is some type of validation; but I'm not sure.

When this code is used, a popup occurs asking if I would like to view secure Yes or No. If you answer yes, nothing appears on the screen. If you answer no, you see the Library Card Number: and PIN:

I appreciate any help. Thank you, Elbee

**jscheuer1** · 05-17-2013, 03:11 PM

Not using quotes is non-standard. If the value of the attribute has no spaces in it though, the browser doesn't mind.

The action attribute of a form is like the href attribute of an <a href="whatever.htm"> tag. Using a preceding slash tells the browser to begin looking from the root of the domain if the page is live, or the root of the current drive if the page is local. So that form will look in the login folder located in the root of the domain. Presumably there's a file there called index.php or some other default filename that will get loaded automatically once the login folder is looked at.

So - say your domain is, mydomain.com

The file that would be looked for would be:

mydomain.com/login/index.php

The value of the value attribute as ^U might be an artifact. It might be meant to be ctrl+U, but from what you're saying, apparently this form 'works', at least does something. So I guess it's a literal ^U. And you're right, the value of a hidden input is often some sort of validation. When the form is submitted, something checks to see if that hidden value is as expected. The name of the input tends to indicate that a URL is expected though. If this is a server side page, the ^ might be a token telling the server to resolve ^U as a previously defined URL.

As far as what happens when you submit, that's controlled a bit by the browser, the rest probably by the page in the login folder and perhaps also by javascript. That is unless this form is under control of javascript that you haven't shown us.

If you want more help, please include a link to the page on your site that contains the problematic code so we can check it out.

**Elbee** · 05-17-2013, 04:55 PM

You're the best John!

We have a link to the OverDrive website on our website. http://jpl.lib.overdrive.com/B09224A...en/Default.htm

After clicking on the link, the customer must Sign In (See top right corner). When they click on Sign In, they get a security warning (Do you want to view only the webpage content that was delivered securely?) The web page I created and gave to ITD to load in the libproxy will only display correctly if they answer NO.

If they answer Yes, the style sheet is obviously not working and the page looks bad. We would love for that warning to not appear. We don't know if the warning is generated by some code ITD uses since we do not have code on our web page that would cause this (unless of course it has to do with the <form> code I sent you which they gave me).

God help me!

**jscheuer1** · 05-17-2013, 05:35 PM

When I look at the source code I see:

Code:

<form action=/login method=post>
<input type=hidden value=https://libproxy.coj.net/overdrive/jacksonville?URL=Default.htm name=url>
<strong>Library Card Number:</strong>
 <input name=user><br /><br />
 <span style="margin-left:112px"><strong>PIN:</strong></span>
 <input type=password name=pass><br /><br /><input type=submit value=Login> 
</form>

So that hidden field is getting filled in by a URL. And it is to an SSL (https) page. Presumably that's where you go after a successful login. The page with the form on it is itself /login on that server. So it's submitting to itself. That's pretty common. As I say, if the login is successful, it probably goes to that page in the hidden field. If not, you are back on the /login page, presumably now with an error message like "Card number and PIN do not match".

So that's why there's that message. The page it is going to is secure. In order to avoid that message, all content on that page must also be secure. If you have an SSL, a part of your site that's https, then host your css file there and that should take care of it as long as there aren't other insecure things like scripts or images, flash, etc.

Oh, and just hosting those files on an SSL might not be enough, the path to them on your pages may have to include the https prefix and full path.

Do you own the libproxy.coj.net server? Or are you just contracting out login services to it? Or is there a more extensive relationship?

**Elbee** · 05-17-2013, 05:50 PM

Even though we are all city of Jacksonville, FL workers, ITD is very uncooperative with the library. They are in control of that libproxy and that's why I don't know anything about it. They just asked me to create that little login page and they gave me the <form> code to put in it and they do everything else.

I guess we'll just have to talk to them about not wanting that security warning. It's really bad that you have to answer NO to see the login page correctly.

Thanks for all your help, Linda

**jscheuer1** · 05-17-2013, 06:18 PM

Well, you will probably need an SSL or somewhere that's SSL to host your files. Otherwise, the whole idea of logging on is pointless. SSL's are generally not cheap. The cheapest ones are shared SSL's. The libproxy.coj.net server obviously is an SSL, perhaps they would let you host your files, the ones that need to be secure, on their server.

Once someone logs in, what can they do that they couldn't do before logging in?