Solved

PHP POST Login using cURL

Posted on 2012-03-21
14
1,074 Views
Last Modified: 2012-03-22
Hi there, I'm wondering how to post a login form using cURL.

Basically when you access login page = index.php, it gives you PHP SESSION ID, then when you press login button, it passes that session ID to the login page. (without php session id, login script will not login even if the username and password are correct).

Some data of what happens when I login (WIRESHARK)

POST /login.php HTTP/1.1
Host: www.mydomain.com
Connection: keep-alive
Content-Length: 41
Cache-Control: max-age=0
Origin: http://www.mydomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.mydomain.com/error.php?err=LOGGED_OUT
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c88053b1928f1c292e7e691be71d0a5e; IDstack=%2C1681189%2C; hflastvisit=1330392616; hflastactivity=0; hfuserid=1681189; hfpassword=MD5PWHASH; sort_num=50; __utma=165966376.497838475.1330693148.1332268237.1332344736.34; __utmz=165966376.1330693148.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gm_password=MD5PWHASH

Open in new window


How do I login into this page using cURL?

I've tried many things but they all doesn't work.
0
Comment
Question by:mropenmind
  • 8
  • 6
14 Comments
 

Author Comment

by:mropenmind
ID: 37750445
Oh yea, after logging in I need to get html source of the pages that require login.
0
 

Author Comment

by:mropenmind
ID: 37750482
The code below gives me the index.php page (LOGGED IN VERSION) however I cannot navigate to other pages, because in session cookies cURL only sets gmpassword.

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.mydomain.com/login.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=MYUSERNAME&password=MYPASSWORD"); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt($ch, CURL_COOKIEFILE, "cookie.txt");  // Enables session support
curl_setopt($ch, CURLOPT_REFERER, "http://www.mydomain.com/error.php?err=LOGGED_OUT");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

$output = curl_exec($ch);

?>

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37750574
Please post the actual URL you want to log in to (we all know it is not "domain.com"), along with the credentials you will use to log in (user name, password, etc).  Each such script is a bit of a research and development project.  Your script will have to act like a well-behaved web browser, following redirect headers and returning cookies.  Additionally it may need to return form tokens.  If there is a CAPTCHA involved, it is unlikely that any script will be successful with the login, but if CAPTCHA is not present it is usually possible to affect the login and make automated access to the protected pages.

When you post this information, please also post a link to the terms of use so I can be sure that it is OK to attempt an automated login to the site.  I am not 100% sure I can be successful with this effort, but I am 100% sure it should only be attempted if the site gives permission for this kind of access.

Many sites expose an API when they want clients to have automated access to their underlying data model.  If the TOS document does not grant permission for automated login you might consider contacting the publishers and asking for an API.

Best regards, ~Ray
0
 

Author Comment

by:mropenmind
ID: 37750787
I'm a game master in game and I'm making a script for other GM's. I made a c# one and it works , however I cannot host it at my pc all the time so I will instead host it on my webserver but I'm struggling to find a working solution.

The login details and the website however are confidential and I cannot disclose them for public access! Therefore if you give me your email, or drop me a line to: mropenmind@hotmail.co.uk I can provide you with the information you need.

Thanks
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37750836
login details and the website however are confidential and I cannot disclose them

Good grief!  I am not getting paid here and I am not the only expert at EE, and I may have other obligations tomorrow.  You need to be able to take advantage of this entire support community.  Please create a test data set that you can wipe out at a moment's notice.  You really need to have a test bed that anyone can attack.  And it needs to be impermeable so that you can establish it, destroy it, and reinvent it at the click of a button.

Why?  Consider Facebook.  They have a very robust web presence, and their public-facing web pages get a lot of bad-actor traffic every day.   If you're building a public-facing web site, you need to be equally safe.

So please create a public-facing web page that you can confidently expose to the public.  Then post back here with the URL, the source code, and the credentials.  Once you do that we can help you with any of the details
0
 

Author Comment

by:mropenmind
ID: 37751883
How about you just tell me how do I send additional headers with the example above and save cookies that are coming back from the login.php response.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37752453
I will revisit this when we have a URL that we can access over the internet with CURL, along with the credentials needed to complete the login.  It's not worth my time to speculate about what might or might not be in a script I cannot see.  I'm sure you understand.  Thanks, ~Ray
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:mropenmind
ID: 37752627
URL: http://gm.heroesofnewerth.com/
Login: username
Password: password

I need to login and then use the cookies to obtain HTML SOURCE for this page: http://gm.heroesofnewerth.com/gm_decisions.php
http://gm.heroesofnewerth.com/gm_decisions.php?&page=2
and so on.

NOTE: Do not press GET NEXT AVAILABLE TICKET!!!!
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37752687
Thanks.  I tested the page manually.  It looks like the URL redirected to something else.  Is there a logout page?
0
 

Author Comment

by:mropenmind
ID: 37752727
login itself is at error.php or index.php, then it gives a PHP session id and login details from the form are passed to login.php . logout page: http://gm.heroesofnewerth.com/logout.php
0
 

Author Comment

by:mropenmind
ID: 37752731
Once login is successful you are transferred to index.php
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 37752803
This seems to achieve the login and read the next page (line 116).  You might want to change that password now.
<?php // RAY_temp_newerth.php
error_reporting(E_ALL);
echo "<pre>";

// THE REPLACEMENTS (CASE SENSITIVE) ARE THE LOGIN CREDENTIALS FOR THE SITE
$replacements["username"] = 'username';
$replacements["password"] = 'password';

// READ THE PAGE WITH THE LOGIN FORM
$baseurl = 'http://gm.heroesofnewerth.com/';
$ch = curl_init();

// SET THE CURL OPTIONS - SEE http://php.net/manual/en/function.curl-setopt.php
curl_setopt($ch, CURLOPT_POST, FALSE);
curl_setopt($ch, CURLOPT_URL, $baseurl);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEJAR,  'cookie.txt');
curl_setopt($ch, CURLOPT_FAILONERROR, TRUE);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);

// CALL THE WEB PAGE
$htm = curl_exec($ch);
$err = curl_errno($ch);
$inf = curl_getinfo($ch);

// IF ERRORS - SEE http://curl.haxx.se/libcurl/c/libcurl-errors.html
if ($htm === FALSE)
{
    echo PHP_EOL . "CURL GET FAIL: $baseurl CURL_ERRNO=$err ";
    var_dump($inf);
    die();
}


// REMOVE THE END-OF-LINE CHARACTERS
$htm = str_replace(PHP_EOL, NULL, $htm);

// ISOLATE THE FORM
$form   = explode("<form",$htm);
$form   = explode("</form>",$form[1]);
$inputs = explode("<input",$form[0]);
$post   = "";

foreach($inputs as $key => $val)
{
    // IDENTIFY THE ACTION SCRIPT
    $action = strpos($val, "action");
    if($action !== false)
    {
        // EXTRACT THE ACTION SCRIPT NAME FROM THE FORM INPUT
        $actstart = strpos($val, "\"", $action+1);
        $actend   = strpos($val, "\"", $actstart+1);
        $posturl  = substr($val, $actstart+1, ($actend-$actstart-1));
        continue;
    }

    // IDENTIFY THE INPUT FIELDS BY NAME AND VALUE PAIRS
    $name = strpos($val, "name");
    if($name !== false)
    {
        // EXTRACT THE NAME FROM THE FORM INPUT
        $namestart = strpos($val, "\"", $name+1);
        $nameend   = strpos($val, "\"", $namestart+1);
        $strname   = substr($val, $namestart+1, ($nameend-$namestart-1));

        // EXTRACT THE VALUE
        $value = strpos($val, "value");
        if($value !== false)
        {
            $valuestart = strpos($val, "\"", $value+1);
            $valueend   = strpos($val, "\"", $valuestart+1);
            $strvalue   = substr($val, $valuestart+1, ($valueend-$valuestart-1));
        }

        // IF NO VALUE TRY TO REPLACE
        else
        {
            foreach ($replacements as $k => $v)
            {
                if ($k == $strname) $strvalue = $v;
            }
        }
        $post .= "&" . $strname . "=" . urlencode($strvalue);
    }
}

// DATA EXTRACTION COMPLETE -- WAIT A RESPECTABLE PERIOD OF TIME
sleep(1);

// DECLOP LEFTMOST AMPERSAND
$post = substr($post,1);

// SET THE LOGIN URL
$posturl = $baseurl . '/' . $posturl;

// NOW POST THE DATA WE HAVE FILLED IN
curl_setopt($ch, CURLOPT_URL, $posturl);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);

// CALL THE WEB PAGE
$xyz = curl_exec($ch);
$err = curl_errno($ch);
$inf = curl_getinfo($ch);

// IF ERRORS - SEE http://curl.haxx.se/libcurl/c/libcurl-errors.html
if ($xyz === FALSE)
{
    echo PHP_EOL . "CURL POST FAIL: $posturl CURL_ERRNO=$err ";
    var_dump($inf);
}

// NOW ON TO THE NEXT PAGE, USING THE GET METHOD
curl_setopt($ch, CURLOPT_URL, 'http://gm.heroesofnewerth.com/gm_decisions.php');
curl_setopt($ch, CURLOPT_POST, FALSE);
curl_setopt($ch, CURLOPT_POSTFIELDS, '');

$xyz = curl_exec($ch);
$err = curl_errno($ch);
$inf = curl_getinfo($ch);

// IF ERRORS - SEE http://curl.haxx.se/libcurl/c/libcurl-errors.html
if ($xyz === FALSE)
{
    echo PHP_EOL . "CURL 2ND GET FAIL: $posturl CURL_ERRNO=$err ";
    var_dump($inf);
}

// SHOW OFF THE DATA AFTER THE LOGIN
echo htmlentities($xyz);

Open in new window

0
 

Author Closing Comment

by:mropenmind
ID: 37752885
Thanks for help.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37752922
Thanks for the points!  All the best, ~Ray
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Calculate values in an array 18 35
PHP_POST() error message 9 42
MySQL Grouping 2 23
How to loop through records  using SELET COUNT 2 14
Flask is a microframework for Python based on Werkzeug and Jinja 2. This requires you to have a good understanding of Python 2.7. Lets install Flask! To install Flask you can use a python repository for libraries tool called pip. Download this f…
This article will show, step by step, how to integrate R code into a R Sweave document
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now