I’ve been building a bot that automates a task for a specific industry. I was wondering if there was a standard way to bot a site using a users credentials without saving them to my db. For instance, would I be able to use something like Hound, and have the user log in and save the cookie to be used within the Hound sessions? My application is going to help a lot of people, but the only draw back is that it currently stores the users credentials to my db (encrypted of course), but now that I want to use it for more than just friends I want to make sure I am doing things properly.
Store cookie, as this is slightly more secure. While it still do not secures you from the breakage and leakage of the secrets, it is much less plausible that single cookie will be used in more than one service. Alternatively check if the services you are using do not publish some kind of API that you could use with OAuth or similar authorisation protocol.
Right now I am using Hound to log in and save the cookie within the DB for use in the future. Is there a way to capture the cookie from the user logging into the site? There is absolutely no chance of a public API as I’m building a tool for an internal site that didn’t anticipate 3rd party tools ever plugging into
I guess the way I could do it would be if there isn’t an active cookie in the DB then it asks for the username and pw at the time the bot is needing to input it. Not save the credentials, but update the cookie on successful login.
How long are cookies usually valid for?
Impossible to tell, as it depends on the service.
The lifetime of the cookie is usually a good indicator, but it’s not always accurate as the service can cut it off sooner too.
Good point. For some reason I have a hard time realizing that sites we use are similar to sites we make and I tend to ask stupid questions because of it.