Form replay


Form replay allows you to open a session on a protected application by filling a HTML POST login form and autosubmitting it, without asking anything to the user.

This kind of SSO mechanism is not clean, and can lead to problems, like local password blocking, local session not well closed, etc.

Please always try to find another solution to protect your application with LL::NG. At least, check if it is not a known application, or try to adapt its source code.

If you configure form replay with LL::NG, the Handler will detect forms to fill, add a javascript in the html page to fill form fields with dummy datas and submit it, then intercept the POST request and add POST data in the request body.

POST data can be static values or computed from user's session.

To post user's password, you must enable password storing. In this case you will be able to use $_password to fill any password POST field.


You should grab some information:

If you don't know jQuery selector, just be aware that they are similar to css selectors: for example, button#foo points to the html button whose id is “foo”, and .bar points to all html elements of css class “bar”.

For example:

Go in Manager, “Virtual Hosts” » virtualhost » “Form replay” and click on “New form replay”.

Fill values here:

Then click on New variable and add all data with their values, for example:

You can define more than one form replay URL per virtual host.