1

(33 replies, posted in Institution Errors)

pgs wrote:

The server is very finicky about the order of the HTTP headers -- this sequence works for me:

POST / HTTP/1.1
Content-Type: application/x-ofx
Host: ofx.discovercard.com
Content-Length: [the length of the request]
Connection: Keep-Alive

Thanks pgs!! This finally fixed it for me.

As a data point, with these headers I was able to get correct responses from the server using either robler's ofx 2.1.1 request in #16 or my original ofx 1.0.2 request in #13. I can't believe this is the case, but the headers indeed have to be exactly these lines in exactly this order.

2

(33 replies, posted in Institution Errors)

robler wrote:

Unless I install Fiddler or something similar, I don't know of any way to get the full http request, that's why I posted my debug info. Do you know of simple way? I'm using C#

I see you have the line "h ttpReqst.ContentLength = enc.Length". Would you mind printing out the string that was encoded into the variable "enc", and posting that (with personal info redacted)? Unfortunately I'm not familiar with C#, and a quick Google search didn't produce any way to print out the entire HTTP POST request. But "enc" presumably contains the OFX request, which should be very helpful in combination with the headers in the debugging info you posted earlier.

robler wrote:

All I can say is that you need to implement the headers I specified or it's not going to work. The fact the your code didn't use UserAgent or Expect100Continue and used to work is the point; Discover changed their header requirements. Now Discover expects these, before it didn't.

Unless I'm mistaken, setting "h ttpReqst.UserAgent = null" simply removes UserAgent from the headers, and setting "h ttpReqst.ServicePoint.Expect100Continue = false" removes "Expect: 100-continue" from the headers. Since I didn't have these headers to begin with, I think I'm running into a different issue than you are. Thanks anyway!

3

(33 replies, posted in Institution Errors)

@robler I have also been getting 403 Forbidden since ~2/15, and my code didn't use the UserAgent or Expect headers to begin with. Thanks for posting the debugging info, but I wasn't able to learn anything from it. Echoing @overflow636, if you wouldn't mind posting the actual HTTP request sent to ofx.discovercard.com, it'd be greatly helpful. I've included mine below for reference.

POST / HTTP/1.1
Host: ofx.discovercard.com
Accept-Encoding: identity
Content-Length: 685
Content-Type: application/x-ofx
Accept: */*, application/x-ofx

OFXHEADER:100
DATA:OFXSGML
VERSION:102
SECURITY:NONE
ENCODING:USASCII
CHARSET:1252
COMPRESSION:NONE
OLDFILEUID:NONE
NEWFILEUID:uid_redacted

<OFX>
<SIGNONMSGSRQV1>
<SONRQ>
<DTCLIENT>20170228161351
<USERID>username_redacted
<USERPASS>password_redacted
<LANGUAGE>ENG
<FI>
<ORG>Discover Financial Services
<FID>7101
</FI>
<APPID>QWIN
<APPVER>2200
</SONRQ>
</SIGNONMSGSRQV1>
<CREDITCARDMSGSRQV1>
<CCSTMTTRNRQ>
<TRNUID>uid_redacted
<CLTCOOKIE>4
<CCSTMTRQ>
<CCACCTFROM>
<ACCTID>card_number_redacted
</CCACCTFROM>
<INCTRAN>
<DTSTART>20161230
<INCLUDE>Y
</INCTRAN>
</CCSTMTRQ>
</CCSTMTTRNRQ>
</CREDITCARDMSGSRQV1>
</OFX>

Before ~2/15, the server would respond with an OFX file containing transaction details. After ~2/15, I get a 403 Forbidden status with an HTML page saying Access Denied. I've tried removing different combinations of unnecessary HTTP headers, changing ofx version and appver to newer ones, and removing special characters from my password, all to no avail.