Orkut/google login schemas

My original personal blog @ fh-net.com seems to be down cause fh-net.com is down. So here’s a copy of that post I made on orkut/google login schemas

Firstly, only those with deep understanding of cookies and sessions and logins, please view this. This is totally original article, trying to figure out all about orkut. Its more like a “Hey, it happens this way” than “Whao, I found out sumthing amazing”
Firstly, lets what happens when you visit orkut.com . You get to a screen which sets the tracker google analytic cookies and TZ cookie (both of which, we dont bother with). On the login page, is a iframe pointing to: https://www.google.com/accounts/ServiceLoginBox . It contains the (important) parameters-
service=orkut
skipll=true&skipvpage=true
continue=http%3A%2F%2Fwww.orkut.com%2FRedirLogin.aspx%3Fmsg%3D0%26page%3Dhttp%253A%252F%252Fwww.orkut.com%252F
followup=http%3A%2F%2Fwww.orkut.com%2FGLogin.aspx
hl=en-US (lang)
Just decoding the continue string, we see-
http://www.orkut.com/RedirLogin.aspx?msg=1&page=http%3A%2F%2Fwww.orkut.com%2F
Go there and try out. Looks like a normal login page, but the service box is redundant. You see, that now, the continue will be like-
http://www.orkut.com/RedirLogin.aspx?msg=0&page=http%3A%2F%2Fwww.orkut.com%2FRedirLogin.aspx%3Fmsg%3D1%26page%3Dhttp%253A%252F%252Fwww.orkut.com%252F%26followup%3Dhttp%3A%2F%2Fwww.orkut.com%2FGLogin.aspx
Decoding the “page” variable-
http://www.orkut.com/RedirLogin.aspx?msg=1&page=http%3A%2F%2Fwww.orkut.com%2F&followup=http://www.orkut.com/GLogin.aspx

Recognise it? It means that when we send the form to google for login, the referer page is also sent along with it. And note, that this is totally independent of whether u’ve logged in or not to orkut already (you will see where I am going with this later). Also, just note the address of the page. Its Glogin.aspx?done=[page] . Think!

Alright, thats preliminary check. Now lets see what gets sent when you submit the form (yeah, I’m lazy to read source)-
continue=http%3A%2F%2Fwww.orkut.com%2FRedirLogin.aspx%3Fmsg%3D0%26page%3D%252FHome.aspx%253Fxid%253D5239296434780423392 & followup=http%3A%2F%2Fwww.orkut.com%2FGLogin.aspx & service=orkut & nui=2 & skipvpage=true & skipll=true & hl=en-US & GA3T=CQ78r8M_LWU & Email=[something] & Passwd=[something] & PersistentCookie=yes & rmShown = 1 & null=Sign+in

Most things we remember. The GA3T prob is Google Accounts **, not sure what, but there is a seemingly random value associated with it, probably some sortof checksum (perhaps google skips referer check for cross browser compatibility). Most other stuff is either due to browser settings, or that “remember me” option.

Posting this, we get a nice lil response from google, which firstly sets the following cookies-
SID= Some TREMENDOUSLY LONG case-sensitive alphanumeric but having hyphens at regular intervals (prob consists of number of components concatenated) (expires sumwhere in 2017)
GA3T=CQ78r8M_LWU (recognise this ) . It prob may be a checksum for making cookies a bit more secure or sumthing
GoogleAccountsLocale_session= en (english)
LSID= Now this one is strange. Viewing the headers, it shows some real crap. It sets this multiple times, but makes sure it expires in 1990. And eventually, it gets set to= DQAAAI****AIqgK9HyWnrp9wJnJnXKIkXu4CYxpgoloNv5i8I*zOaFD7oPenHC_yxaAXobufNmpYq113BsqoFfDJ7YiIgahYLm5F1*K4Dude2ms4rcNcNcDOzCyAYg9othn1Ii1yvrKkPGXAG9E2jBm8Um*U5towqpD1D10PCdizJvwU3LAg1Q , but via a secure connection. All I see is the word: Dude which makes sense
Then, it decently outputs sum javascript to redirect to TokenAuth

The TokenAuth
The GET query_string is long, so I break it up as (and decode)-
continue=https://www.google.com/accounts/CheckCookie?continue=http%3A%2F%2Fwww.orkut.com%2FRedirLogin.aspx%3Fmsg%3D0%26page%3D%252FHome.aspx%253Fxid%253D5239296434780423392&followup=http%3A%2F%2Fwww.orkut.com%2FGLogin.aspx&service=orkut&hl=en-US&chtml=LoginDoneHtml&skipvpage=true
auth=TREMEMDOUSLY long string again.

We are more interested in the outcome. The script AGAIN set the SID and LSID cookie to the values earlier (again, LSID has those bogus expires as well), with everything the same. It sends a 302 (relocated) message, and redirects to CheckCookie with the query string parameters-
continue=http://www.orkut.com/RedirLogin.aspx?msg=0&page=%2FHome.aspx%3Fxid%3D5239296434780423392
followup=http://www.orkut.com/GLogin.aspx
service=orkut
hl=en-US
chtml=LoginDoneHtml
skipvpage=true (no clue abt this 1)

SO, we find that TokenAuth probably had no sense to be there in the first place. It places the same old cookies back with the same old values, and redirects to checkcookie, even without any other token.
And voila, still nothing, yet another seemingly useless redirection, cause checkcookie, although might be “checking” the cookies, doesnt modify any values as such. The value of SID aint changed, and LSID is reset in the same lame manner as it is earlier. But look beyond and see that there is a redirection on this page, to SetSID , which accepts a long query-string.
ssdc=1
sidt=NCWYYhMBAAA=.D9uKQk+/7Um5yenrm0f6GQwd2bccekqTV744ZrWxuXzF4Y6KMUYk4Wj331p9BEuw4MHl5RR7CnPemACZoXdiG66p/2d8kehVu6rzsLoCSVmGV9/yMRZg7uJjJx/ib95mIGFZ4qsR0gecJMsjOBYlteWUrDJFw+h6tS9qIOmIeJY2bx8e7796UgkoLieDQJXGFY5eYYPM53Ksm4r9v/Z8Zhm4Eb/Q8RHVcAwYGlHpB5OZtLckrb4j+kFcj0g0hRXZhSW8UCr2+PPp4gDE7dmJIA==.2kc6T4NPnriT3TQkIlxU1A==
continue=http://www.orkut.com/RedirLogin.aspx?msg=0&page=%2FHome.aspx%3Fxid%3D5239296434780423392&auth=DQAAAIIAAAAnN0_ENJwCttMyPV6Tz6wRh8JSrbvAJzGNB1SWMO65UoC7fcT9CzmmFxFp_SXfesrvrWV0H5e1Amzd8kNe25kFDhwfsITasPcXHQ0oX4qzzQ1eyJvixiCrb8oN_agAE5WSaY150HBhdzwhFx8RwuTkAHz6y2SwdCjursc_NgaTvGZD2mbkRwSdEJ_erYroUNE
the sidt, well, cant say much, except that it looks encoded before just being a session id. Those ==, doesnt that remind us of base64 encoding? Well, this looks sumthing “like” that (no, it aint base64). Its to make sure that the page isnt requested directly, but only after Checkcookie, which is fair enough, since it seems rather hard to guess the sidt
The continue part now seems to look interesting though. Lets de-hex it once more-
http://www.orkut.com/RedirLogin.aspx?msg=0&page=/Home.aspx?xid=5239296434780423392&auth=DQAAAIIAAAAnN0_ENJwCttMyPV6Tz6wRh8JSrbvAJzGNB1SWMO65UoC7fcT9CzmmFxFp_SXfesrvrWV0H5e1Amzd8kNe25kFDhwfsITasPcXHQ0oX4qzzQ1eyJvixiCrb8oN_agAE5WSaY150HBhdzwhFx8RwuTkAHz6y2SwdCjursc_NgaTvGZD2mbkRwSdEJ_erYroUNE

Did some research on this part now, since this looks like the entry point to orkut login system. The auth which was issued by ServiceLoginBoxAuth was used throughout.
Now this is probably a backend part of the script. You see the xid, right. Well, that might be a token id issued by ServiceLoginAuthBox . RedirLogin.aspx probably sends the data it gets from the query string to google servers, to check that firstly, the auth is correct; This is kinda like a checksum/session_id(for the login part). The xid is probably first checked against that auth on the google server, and then the profile id is probably returned.
Once thats done, then orkut loads up a session cookie (along with sum other additional stuff) as okrut_state, which contains multiple parameters. Yup, thats right, 1 cookie, various things, but eventually, a nice session id.. its like various fields with : as the delimiter-

ORKUTPREF=ID=[Session id]
INF=0
SET=[some other number]
LNG=[no clue, but looks boolean]
CNT=[country telephone code. Like mines 91 for india):RM=(probably remember option):
USR=[login email address] (base 64 encoded)
PHS=[no clue of this, since it was blank for me]
TS=[no clue of this, since it was blank for me]
LCL=[Language]
NET=[prob the type of connection- direct or via proxy (depending on proxy-alive header)]
TOS=[clueless]
GC=[AHA, the google auth]
E=[Again the login address?] (base 64 encoded)
GTI=[some boolean value, perhaps a preference or sumthing]:
GID=[login email address] (base 64 encoded) (again?)
VER=[version?]
S=[dunno ]

And then, the backend body removes the auth from the outstanding list, after logging into the service. (confirmed)

So thats about how orkut login takes place.
(I know the last part was especially shabby, but I thought I would continue this is another blog entry)

W00t! I got r00t!