Agency Login

Form POST

Traditional HTML form submission — no JavaScript required.

The browser serialises the fields as application/x-www-form-urlencoded and POSTs directly to the server. On success the server redirects to the IRIX dashboard; on failure it redirects back with an error.

Fields submitted

• resellerCode — agency identifier
• username — agent identifier
• password
• action = "login" (hidden field)

Endpoint

POST /reseller/auth/

---

Cross-origin considerations

Traditional form POST is not blocked by CORS — browsers intentionally allow cross-origin form submissions (this is also why CSRF attacks are possible). However, a cross-origin deployment can still break login in other ways:

• SameSite cookies — the session cookie set by the server after login may not be sent on subsequent requests if SameSite=Strict or Lax is used and the landing page is on a different origin.
• IRIX back-office config — the landing page URL must be registered under Reseller Settings and the origin whitelisted under Application CORS, or the server may reject the request.
• CSP form-action — a Content-Security-Policy header restricting form-action will cause the browser to block the POST before it is even sent.

---

References

• MDN — Cross-Origin Resource Sharing (CORS)
• MDN — SameSite cookie attribute
• MDN — CSP: form-action
• OWASP — Cross-Site Request Forgery (CSRF)