Solved

PHP POST Login using cURL

Posted on 2012-03-21
14
1,097 Views
Last Modified: 2012-03-22
Hi there, I'm wondering how to post a login form using cURL.

Basically when you access login page = index.php, it gives you PHP SESSION ID, then when you press login button, it passes that session ID to the login page. (without php session id, login script will not login even if the username and password are correct).

Some data of what happens when I login (WIRESHARK)

POST /login.php HTTP/1.1
Host: www.mydomain.com
Connection: keep-alive
Content-Length: 41
Cache-Control: max-age=0
Origin: http://www.mydomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.mydomain.com/error.php?err=LOGGED_OUT
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c88053b1928f1c292e7e691be71d0a5e; IDstack=%2C1681189%2C; hflastvisit=1330392616; hflastactivity=0; hfuserid=1681189; hfpassword=MD5PWHASH; sort_num=50; __utma=165966376.497838475.1330693148.1332268237.1332344736.34; __utmz=165966376.1330693148.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gm_password=MD5PWHASH

Open in new window


How do I login into this page using cURL?

I've tried many things but they all doesn't work.
0
Comment
Question by:mropenmind
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 

Author Comment

by:mropenmind
ID: 37750445
Oh yea, after logging in I need to get html source of the pages that require login.
0
 

Author Comment

by:mropenmind
ID: 37750482
The code below gives me the index.php page (LOGGED IN VERSION) however I cannot navigate to other pages, because in session cookies cURL only sets gmpassword.

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.mydomain.com/login.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=MYUSERNAME&password=MYPASSWORD"); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt($ch, CURL_COOKIEFILE, "cookie.txt");  // Enables session support
curl_setopt($ch, CURLOPT_REFERER, "http://www.mydomain.com/error.php?err=LOGGED_OUT");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

$output = curl_exec($ch);

?>

Open in new window

0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 37750574
Please post the actual URL you want to log in to (we all know it is not "domain.com"), along with the credentials you will use to log in (user name, password, etc).  Each such script is a bit of a research and development project.  Your script will have to act like a well-behaved web browser, following redirect headers and returning cookies.  Additionally it may need to return form tokens.  If there is a CAPTCHA involved, it is unlikely that any script will be successful with the login, but if CAPTCHA is not present it is usually possible to affect the login and make automated access to the protected pages.

When you post this information, please also post a link to the terms of use so I can be sure that it is OK to attempt an automated login to the site.  I am not 100% sure I can be successful with this effort, but I am 100% sure it should only be attempted if the site gives permission for this kind of access.

Many sites expose an API when they want clients to have automated access to their underlying data model.  If the TOS document does not grant permission for automated login you might consider contacting the publishers and asking for an API.

Best regards, ~Ray
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 

Author Comment

by:mropenmind
ID: 37750787
I'm a game master in game and I'm making a script for other GM's. I made a c# one and it works , however I cannot host it at my pc all the time so I will instead host it on my webserver but I'm struggling to find a working solution.

The login details and the website however are confidential and I cannot disclose them for public access! Therefore if you give me your email, or drop me a line to: mropenmind@hotmail.co.uk I can provide you with the information you need.

Thanks
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 37750836
login details and the website however are confidential and I cannot disclose them

Good grief!  I am not getting paid here and I am not the only expert at EE, and I may have other obligations tomorrow.  You need to be able to take advantage of this entire support community.  Please create a test data set that you can wipe out at a moment's notice.  You really need to have a test bed that anyone can attack.  And it needs to be impermeable so that you can establish it, destroy it, and reinvent it at the click of a button.

Why?  Consider Facebook.  They have a very robust web presence, and their public-facing web pages get a lot of bad-actor traffic every day.   If you're building a public-facing web site, you need to be equally safe.

So please create a public-facing web page that you can confidently expose to the public.  Then post back here with the URL, the source code, and the credentials.  Once you do that we can help you with any of the details
0
 

Author Comment

by:mropenmind
ID: 37751883
How about you just tell me how do I send additional headers with the example above and save cookies that are coming back from the login.php response.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 37752453
I will revisit this when we have a URL that we can access over the internet with CURL, along with the credentials needed to complete the login.  It's not worth my time to speculate about what might or might not be in a script I cannot see.  I'm sure you understand.  Thanks, ~Ray
0
 

Author Comment

by:mropenmind
ID: 37752627
URL: http://gm.heroesofnewerth.com/
Login: username
Password: password

I need to login and then use the cookies to obtain HTML SOURCE for this page: http://gm.heroesofnewerth.com/gm_decisions.php
http://gm.heroesofnewerth.com/gm_decisions.php?&page=2
and so on.

NOTE: Do not press GET NEXT AVAILABLE TICKET!!!!
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 37752687
Thanks.  I tested the page manually.  It looks like the URL redirected to something else.  Is there a logout page?
0
 

Author Comment

by:mropenmind
ID: 37752727
login itself is at error.php or index.php, then it gives a PHP session id and login details from the form are passed to login.php . logout page: http://gm.heroesofnewerth.com/logout.php
0
 

Author Comment

by:mropenmind
ID: 37752731
Once login is successful you are transferred to index.php
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 37752803
This seems to achieve the login and read the next page (line 116).  You might want to change that password now.
<?php // RAY_temp_newerth.php
error_reporting(E_ALL);
echo "<pre>";

// THE REPLACEMENTS (CASE SENSITIVE) ARE THE LOGIN CREDENTIALS FOR THE SITE
$replacements["username"] = 'username';
$replacements["password"] = 'password';

// READ THE PAGE WITH THE LOGIN FORM
$baseurl = 'http://gm.heroesofnewerth.com/';
$ch = curl_init();

// SET THE CURL OPTIONS - SEE http://php.net/manual/en/function.curl-setopt.php
curl_setopt($ch, CURLOPT_POST, FALSE);
curl_setopt($ch, CURLOPT_URL, $baseurl);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEJAR,  'cookie.txt');
curl_setopt($ch, CURLOPT_FAILONERROR, TRUE);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);

// CALL THE WEB PAGE
$htm = curl_exec($ch);
$err = curl_errno($ch);
$inf = curl_getinfo($ch);

// IF ERRORS - SEE http://curl.haxx.se/libcurl/c/libcurl-errors.html
if ($htm === FALSE)
{
    echo PHP_EOL . "CURL GET FAIL: $baseurl CURL_ERRNO=$err ";
    var_dump($inf);
    die();
}


// REMOVE THE END-OF-LINE CHARACTERS
$htm = str_replace(PHP_EOL, NULL, $htm);

// ISOLATE THE FORM
$form   = explode("<form",$htm);
$form   = explode("</form>",$form[1]);
$inputs = explode("<input",$form[0]);
$post   = "";

foreach($inputs as $key => $val)
{
    // IDENTIFY THE ACTION SCRIPT
    $action = strpos($val, "action");
    if($action !== false)
    {
        // EXTRACT THE ACTION SCRIPT NAME FROM THE FORM INPUT
        $actstart = strpos($val, "\"", $action+1);
        $actend   = strpos($val, "\"", $actstart+1);
        $posturl  = substr($val, $actstart+1, ($actend-$actstart-1));
        continue;
    }

    // IDENTIFY THE INPUT FIELDS BY NAME AND VALUE PAIRS
    $name = strpos($val, "name");
    if($name !== false)
    {
        // EXTRACT THE NAME FROM THE FORM INPUT
        $namestart = strpos($val, "\"", $name+1);
        $nameend   = strpos($val, "\"", $namestart+1);
        $strname   = substr($val, $namestart+1, ($nameend-$namestart-1));

        // EXTRACT THE VALUE
        $value = strpos($val, "value");
        if($value !== false)
        {
            $valuestart = strpos($val, "\"", $value+1);
            $valueend   = strpos($val, "\"", $valuestart+1);
            $strvalue   = substr($val, $valuestart+1, ($valueend-$valuestart-1));
        }

        // IF NO VALUE TRY TO REPLACE
        else
        {
            foreach ($replacements as $k => $v)
            {
                if ($k == $strname) $strvalue = $v;
            }
        }
        $post .= "&" . $strname . "=" . urlencode($strvalue);
    }
}

// DATA EXTRACTION COMPLETE -- WAIT A RESPECTABLE PERIOD OF TIME
sleep(1);

// DECLOP LEFTMOST AMPERSAND
$post = substr($post,1);

// SET THE LOGIN URL
$posturl = $baseurl . '/' . $posturl;

// NOW POST THE DATA WE HAVE FILLED IN
curl_setopt($ch, CURLOPT_URL, $posturl);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);

// CALL THE WEB PAGE
$xyz = curl_exec($ch);
$err = curl_errno($ch);
$inf = curl_getinfo($ch);

// IF ERRORS - SEE http://curl.haxx.se/libcurl/c/libcurl-errors.html
if ($xyz === FALSE)
{
    echo PHP_EOL . "CURL POST FAIL: $posturl CURL_ERRNO=$err ";
    var_dump($inf);
}

// NOW ON TO THE NEXT PAGE, USING THE GET METHOD
curl_setopt($ch, CURLOPT_URL, 'http://gm.heroesofnewerth.com/gm_decisions.php');
curl_setopt($ch, CURLOPT_POST, FALSE);
curl_setopt($ch, CURLOPT_POSTFIELDS, '');

$xyz = curl_exec($ch);
$err = curl_errno($ch);
$inf = curl_getinfo($ch);

// IF ERRORS - SEE http://curl.haxx.se/libcurl/c/libcurl-errors.html
if ($xyz === FALSE)
{
    echo PHP_EOL . "CURL 2ND GET FAIL: $posturl CURL_ERRNO=$err ";
    var_dump($inf);
}

// SHOW OFF THE DATA AFTER THE LOGIN
echo htmlentities($xyz);

Open in new window

0
 

Author Closing Comment

by:mropenmind
ID: 37752885
Thanks for help.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 37752922
Thanks for the points!  All the best, ~Ray
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
Learn the basics of strings in Python: declaration, operations, indices, and slicing. Strings are declared with quotations; for example: s = "string": Strings are immutable.: Strings may be concatenated or multiplied using the addition and multiplic…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question