boxee :: forums  

Go Back   boxee :: forums > boxee developers > boxee applications

Reply
 
Thread Tools Display Modes
  #1  
Old May 27th, 2009, 07:07 PM
dloomer dloomer is offline
Junior Member
 
Join Date: Apr 2009
Posts: 29
Default Where are Boxee cookies stored?

(not sure what forum to put this in, but since in my case I'm reading from an RSS feed, might as well place it here)

The Boxee browser used for serving RSS-based media must store cookies somewhere, but where?

What I'm trying to do is get around a login page by pre-storing a cookie (expiration date well into the future) from my desktop browser. The method works fine in my desktop browsers, both Safari and Firefox.

The only cookie file I've found is boxee-cookies.dat, but not only does modifying this file have no effect, but boxee clears out my modifications each time it starts up. It doesn't seem to be in either Safari or Firefox since I already have the cookies set (and working) on those browsers.

Otherwise, any other ideas on getting around a login? My feed is useless otherwise.
Reply With Quote
  #2  
Old May 27th, 2009, 07:16 PM
DPK DPK is offline
Super Moderator
 
Join Date: Feb 2009
Posts: 1,607
Default

In "theory" couldn't you have a login form in your app and then store that data into the local config (all apps have a registry.xml file with saved settings in them specific for themselves). Every time the app launches, check to verify the saved data for user/pass exists in your local config and then pass a request to the login form on the website you are pulling from in query string form. This should cause boxee to create a cookie for its browser on said website. You should then be able to pull the rss feed in without problems.

Again, this is theoretical rambling but would be an option I would consider if I had the problem as it makes boxee's browser do the authentication work all the time and you don't have to worry about tracking cookie files.
__________________
Common issues w/ Boxee:
Beta Important Info | FAQ & Support Requests | Hulu Mature Content | Search

UnBoxeed app development:
Comics.com | ESPN360 | Weather

For more info, follow app development on Twitter!
Reply With Quote
  #3  
Old May 27th, 2009, 07:27 PM
dloomer dloomer is offline
Junior Member
 
Join Date: Apr 2009
Posts: 29
Default

Thanks a lot for the quick reply. I had thought about that method, but unfortunately the login is done inside Flash rather than HTML, so I'm not sure where the login data is being posted or if this is even something I could simulate by doing an HTTP post. And even if I did that, if it was just pure Python code doing the post, that in itself wouldn't create a cookie in the browser (it would just be stored in the memory space of my Python script) unless the script interacts with the browser. Can it do that?

Plus, as of right now there's no app to speak of, it's just a plain RSS feed I add to the My Feeds section. I do figure there's a chance I'll end up needing to make it a Python app for various reasons, but for now still holding out hope it can be done the easy way.

So anyway, any idea where the cookies are stored? It definitely seems to be someplace outside of boxee-cookies.dat, and at one point at least originated from one of my browsers since it does correctly default my user ID which I have only ever entered in my browsers, not in Boxee itself. Boxee just doesn't seem to have access to the new session cookie I'm trying give it (and I've found in Safari and Firefox I can successfully force a permanent login by converting the session cookie to a persistent cookie through some hacking).

Thanks again!
Reply With Quote
  #4  
Old May 27th, 2009, 09:11 PM
DPK DPK is offline
Super Moderator
 
Join Date: Feb 2009
Posts: 1,607
Default

Quote:
Originally Posted by dloomer View Post
Thanks a lot for the quick reply. I had thought about that method, but unfortunately the login is done inside Flash rather than HTML, so I'm not sure where the login data is being posted or if this is even something I could simulate by doing an HTTP post.
  1. Get Wireshark:
    http://www.wireshark.org
  2. Install it and start it up.
  3. Open your browser and go to the page w/ the flash form.
  4. Start logging packets via Wireshark.
  5. Enter your login details in the flash form and submit them, let it process.
  6. Stop logging packets via Wireshark and look for GET requests. Within one of them will be the query being sent from the flash form.
  7. Voila, you'll know where to push a login string.


Quote:
Originally Posted by dloomer View Post
So anyway, any idea where the cookies are stored?
At the moment no idea. I want to say userdata profile directories. I haven't delved into cookies and the boxee browser that much.

Have you looked around your boxee user directories when boxee is running? When running, boxee creates files and when exited it will also remove them from your file system. So sometimes you have to be sneaky and see what it's doing behind the scenes.

Check out the hulu-feeds app and sign in to a hulu account. The hulu-feeds app utilizes cookies. Take a look at the source, particularly main.xml (it imports the python Cookie library and sets user login/password data to a cookie). This app also utilizes the boxee browser so it'd be a good starting point.
__________________
Common issues w/ Boxee:
Beta Important Info | FAQ & Support Requests | Hulu Mature Content | Search

UnBoxeed app development:
Comics.com | ESPN360 | Weather

For more info, follow app development on Twitter!
Reply With Quote
  #5  
Old May 27th, 2009, 09:36 PM
dloomer dloomer is offline
Junior Member
 
Join Date: Apr 2009
Posts: 29
Default

Thanks again. I'll try the Wireshark method soon, although I'm still not sure how I'll programatically access the Boxee browser so that the cookies are still available when I access the RSS feed later. Maybe this is more automatic than I'm envisioning it -- obviously, I haven't actually tried it.

Yeah, it's driving me nuts trying to figure out where the cookies are stored. There are still a few more things I can try as far as hunting it down. But the hulu-feeds thing looks promising. No time to try it right now, but these lines of code in main.xml look like money to me:

Code:
    xbmc.executebuiltin('App.SetString(session,%s)' % session)
    xbmc.executebuiltin('App.SetString(uid,%s)' % uid)
    today = datetime.date.today()
    xbmc.executebuiltin('App.SetString(expiry,%s)' % today)
Something tells me that the xbmc object at least indirectly refers to the browser, and SetString is setting the cookies. I hope!

Thanks once again...
Reply With Quote
  #6  
Old May 27th, 2009, 09:52 PM
DPK DPK is offline
Super Moderator
 
Join Date: Feb 2009
Posts: 1,607
Default

SetString is not setting cookies, it's storing config data for the app. Look at lines 287 to 306 for how to set cookies.

Code:
import random
import os.path
import urllib2
import Cookie
import xbmc
import xbmcgui
import datetime
def login_hulu(user, password):
    url = 'https://secure.hulu.com/account/authenticate?' + `random.randint(100000000, 999999999)`
    user_agent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)'
    headers = { 'User-Agent': user_agent,
            'Cookie': 'login=' + user + '; password=' + password + ';',
            'Referer':  'http://www.hulu.com/'}
    req = urllib2.Request(url, None, headers)
    response = urllib2.urlopen(req)
    C = Cookie.SimpleCookie()
    C.load(response.info()['Set-Cookie']);
    return C['_hulu_session_id'].value, C['_hulu_uid'].value
Also refer to the boxee api:
http://developer.boxee.tv/python-api-reference

...and the python Cookie library:
http://docs.python.org/library/cookie.html
__________________
Common issues w/ Boxee:
Beta Important Info | FAQ & Support Requests | Hulu Mature Content | Search

UnBoxeed app development:
Comics.com | ESPN360 | Weather

For more info, follow app development on Twitter!
Reply With Quote
  #7  
Old May 27th, 2009, 10:06 PM
dloomer dloomer is offline
Junior Member
 
Join Date: Apr 2009
Posts: 29
Default

Drats, I was hoping that wasn't the case. My suspicion is that urllib2 doesn't interact at all with the Boxee browser -- in a "regular" Python app at least, it just works within the memory space of the Python script. But I'll report back after I've actually tried it.

In the case of Hulu, I haven't used the feeds app much but it looks to me like the browser never needs to read the login cookie, since the feeds are all (I believe) public. The login might just be used for reading the user queue.

Maybe I should check out Netflix. Definitely uses a login cookie in order to play back content, although I'm not sure if it uses the Boxee browser or not.
Reply With Quote
  #8  
Old May 28th, 2009, 02:36 PM
ameno ameno is offline
Senior Member
 
Join Date: Jan 2009
Location: Los Angeles, CA
Posts: 111
Default

Is it a single login or are you going to have each app user log in separately? Do you control the server or is it someone elses?

Those are important questions as to how to solve your issue. If it is a single login, you could use a proxy server (I'd personally use php and curl). Pass the cookies to the relevant pages via curl, get the response with regex functions, feed that back to boxee and then open the media that way.

The biggest issue that is going to keep coming up now that Boxee made the browser workaround is people using the browser as a "shortcut." It really isn't. Between the functionality in urllib and using proxy servers, you should be able to literally get the address (even if it's behind authorization) for the actual file being served into the flash/silverlight player in question and then it's only about 100 lines of actionscript code to have a fully functional boxee player that will play that. In the end, developing that out and understanding it will save you time as, in the end, once the auth is bypassed, all flash-compatible media is served via the same object (NetStream). Same idea with Silverlight.
Reply With Quote
  #9  
Old May 28th, 2009, 02:58 PM
dloomer dloomer is offline
Junior Member
 
Join Date: Apr 2009
Posts: 29
Default

Thanks -- it's a per-user login. I'm trying to get Boxee to work with MLB.tv, so yeah, it's not my server obviously.

Someone else on these forums (I believe linuxphan) has declared that he has his own MLB.tv project going using the open-source mlbplayer to do the authentication and serve up an MP4 stream; I was just trying to do a quick-and-dirty fix while I was waiting, but I had done zero Boxee development before and was pre-supposing that through some hack or other I'd be able to manipulate the cookies used by the browser. Without that, it's pretty clear that RSS won't cut it, as this will clearly be a more sophisticated project than merely RSS / Yahoo Pipes.

When you talk about getting the URL of the stream and writing ActionScript code, I assume I'd be hosting a homemade flash player on one of my servers, and referring to that URL in my Python code? I might not understand correctly.

What I was going to try next -- and correct me if I can't do this -- is to perform a login using urllib2 much like hulu-feeds/netflix do, collect the cookies returned, and pass them on to a request to the same URL used by the HTML page that houses the viewer in my desktop browser. An mc.ListItem object can take an HTML page and then find the media played within it, correct? I thought I had read that someplace, but hopefully I'm not still on the wrong track
Reply With Quote
  #10  
Old May 28th, 2009, 05:01 PM
ameno ameno is offline
Senior Member
 
Join Date: Jan 2009
Location: Los Angeles, CA
Posts: 111
Default

Quote:
Originally Posted by dloomer View Post
When you talk about getting the URL of the stream and writing ActionScript code, I assume I'd be hosting a homemade flash player on one of my servers, and referring to that URL in my Python code? I might not understand correctly.
That is exactly what I am saying. I've created several such players for my boxee apps (boXXXee actually uses three different ones depending on what media you play). They are each about 1K in size, so you can serve those form anywhere pretty much.

Quote:
Originally Posted by dloomer View Post
What I was going to try next -- and correct me if I can't do this -- is to perform a login using urllib2 much like hulu-feeds/netflix do, collect the cookies returned, and pass them on to a request to the same URL used by the HTML page that houses the viewer in my desktop browser. An mc.ListItem object can take an HTML page and then find the media played within it, correct? I thought I had read that someplace, but hopefully I'm not still on the wrong track
You really might not need cookies. That was what I was trying to explain. You might not need a browser either.

I am going to make a broad assumption here, since I don't have an account to test this, but the url for the demo they show is http://mediadownloads.mlb.com/mlbam/...83921_800K.mp4.

That very much looks to me like the type of CDN file structure they would be using to serve content to the whole site. If that is it, then you can definitely get this into a flash player. The cross-domain file would allow you to: http://mediadownloads.mlb.com/crossdomain.xml .

Now. Stop thinking in terms of "player." Start thinking in terms of "media." you'll see that you can simply give Boxee that mp4 url I posted and it will play the demo.

So, what I would try FIRST is this process:

Forget urllib and python for a second. Use PHP, Coldfusion, ASP, whatever to initiate a curl call that logs in to MLB.tv (storing and returning cookies). Check the documentation regarding cookies at http://curl.haxx.se/docs/manual.html.

Then, with those cookies, you are going to use curl to call the page that the player is embedded in. Somewhere, there will be an embed code. That code will HAVE TO feed flashvars (basically GET values) to the flash player. The Flash player will then intake those, do what it needs to do and call the video.

There are really only two possibilities:

1. One of the flashvars is the video itself and you basically just need to prepend or append pieces of the url to get it.
2. One of the flashvars gives a value that the flash player uses to call their API and get the url of the physical file.

The bottom line is, the flash player MUST have an actual URL to call.

I make use of two main tools.
URLSnooper 2
and
Sothink SWF Decompiler

URLSnooper 2 will allow you to see what the actual file that the flash player calls is.

SWF Decompiler will allow you to go in and look at how the flash player is manipulating the flash vars.

From experience, most of the security is player based and dead simple.

So, once you know what manipulation is done to a flashvar in order to change it into a url that is useable, you do this:

1. Use curl and some scripting language (I use php) to log into the site and pull the source code from the page in question (screen scrape)
2. use regular expressions to grab the flash vars from the embed code of the video you want.
3. Manipulate the flashvars appropriately
4. Feed the clean, ready-to-go url back to boxee either in an RSS feed or via urllib.

And... voila.

There are security methods that can be used to circumvent this, but there are probably only a dozen of us working in the industry who use them regularly. But up until now there hasn't been a reason to... there was no Boxee
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 06:29 PM.


skin based on greenzero from vBSkins.com

 
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2012, vBulletin Solutions, Inc.