Something Changed about AppStore’s Redeem Protocol

For some reasons, I analyze the redeem protocol again.

Last time I looked into it about 18 months ago, there were two requests after entering code and pressing Redeem button on its landing page.
Code can be found here: /sskaje/code/itunes/auto_redeemer.php
1 Submit an html form to an address like ‘/WebObjects/MZFinance.woa/wo/1.2.3.4’ with the redeem code.
2 If the redeem code is not usable, error message will be displayed; otherwise iTunes would prompt a login dialog to ask your password.
3 After being re-authenticated, a second request would be sent, which performed a real redeem action.


When I was trying to replay the procedure, I found the re-authentication can be ignored, then you can understand what I wrote in the link above.

Today, I tried my iTunes in Windows 8, captured its http packets, and found requests different from previous: two requests are now ONE same request!
Once you have entered your password in iTunes from that pop-up-ed dialog, you won’t need to input password(get an authentication required response), instead your code will be redeemed.

Some cookie fields are found difference, but not tested yet.
Still, there’s another way make the code testable, but not technically clean and easy.

Something Changed about AppStore’s Redeem Protocol by @sskaje: https://sskaje.me/2013/10/something-changed-about-appstores-redeem-protocol/