Solved

PHP POST Login using cURL

Posted on 2012-03-21
14
1,071 Views
Last Modified: 2012-03-22
Hi there, I'm wondering how to post a login form using cURL.

Basically when you access login page = index.php, it gives you PHP SESSION ID, then when you press login button, it passes that session ID to the login page. (without php session id, login script will not login even if the username and password are correct).

Some data of what happens when I login (WIRESHARK)

POST /login.php HTTP/1.1
Host: www.mydomain.com
Connection: keep-alive
Content-Length: 41
Cache-Control: max-age=0
Origin: http://www.mydomain.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.mydomain.com/error.php?err=LOGGED_OUT
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=c88053b1928f1c292e7e691be71d0a5e; IDstack=%2C1681189%2C; hflastvisit=1330392616; hflastactivity=0; hfuserid=1681189; hfpassword=MD5PWHASH; sort_num=50; __utma=165966376.497838475.1330693148.1332268237.1332344736.34; __utmz=165966376.1330693148.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); gm_password=MD5PWHASH

Open in new window


How do I login into this page using cURL?

I've tried many things but they all doesn't work.
0
Comment
Question by:mropenmind
  • 8
  • 6
14 Comments
 

Author Comment

by:mropenmind
ID: 37750445
Oh yea, after logging in I need to get html source of the pages that require login.
0
 

Author Comment

by:mropenmind
ID: 37750482
The code below gives me the index.php page (LOGGED IN VERSION) however I cannot navigate to other pages, because in session cookies cURL only sets gmpassword.

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.mydomain.com/login.php");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=MYUSERNAME&password=MYPASSWORD"); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt($ch, CURL_COOKIEFILE, "cookie.txt");  // Enables session support
curl_setopt($ch, CURLOPT_REFERER, "http://www.mydomain.com/error.php?err=LOGGED_OUT");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

$output = curl_exec($ch);

?>

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37750574
Please post the actual URL you want to log in to (we all know it is not "domain.com"), along with the credentials you will use to log in (user name, password, etc).  Each such script is a bit of a research and development project.  Your script will have to act like a well-behaved web browser, following redirect headers and returning cookies.  Additionally it may need to return form tokens.  If there is a CAPTCHA involved, it is unlikely that any script will be successful with the login, but if CAPTCHA is not present it is usually possible to affect the login and make automated access to the protected pages.

When you post this information, please also post a link to the terms of use so I can be sure that it is OK to attempt an automated login to the site.  I am not 100% sure I can be successful with this effort, but I am 100% sure it should only be attempted if the site gives permission for this kind of access.

Many sites expose an API when they want clients to have automated access to their underlying data model.  If the TOS document does not grant permission for automated login you might consider contacting the publishers and asking for an API.

Best regards, ~Ray
0
 

Author Comment

by:mropenmind
ID: 37750787
I'm a game master in game and I'm making a script for other GM's. I made a c# one and it works , however I cannot host it at my pc all the time so I will instead host it on my webserver but I'm struggling to find a working solution.

The login details and the website however are confidential and I cannot disclose them for public access! Therefore if you give me your email, or drop me a line to: mropenmind@hotmail.co.uk I can provide you with the information you need.

Thanks
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37750836
login details and the website however are confidential and I cannot disclose them

Good grief!  I am not getting paid here and I am not the only expert at EE, and I may have other obligations tomorrow.  You need to be able to take advantage of this entire support community.  Please create a test data set that you can wipe out at a moment's notice.  You really need to have a test bed that anyone can attack.  And it needs to be impermeable so that you can establish it, destroy it, and reinvent it at the click of a button.

Why?  Consider Facebook.  They have a very robust web presence, and their public-facing web pages get a lot of bad-actor traffic every day.   If you're building a public-facing web site, you need to be equally safe.

So please create a public-facing web page that you can confidently expose to the public.  Then post back here with the URL, the source code, and the credentials.  Once you do that we can help you with any of the details
0
 

Author Comment

by:mropenmind
ID: 37751883
How about you just tell me how do I send additional headers with the example above and save cookies that are coming back from the login.php response.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37752453
I will revisit this when we have a URL that we can access over the internet with CURL, along with the credentials needed to complete the login.  It's not worth my time to speculate about what might or might not be in a script I cannot see.  I'm sure you understand.  Thanks, ~Ray
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:mropenmind
ID: 37752627
URL: http://gm.heroesofnewerth.com/
Login: username
Password: password

I need to login and then use the cookies to obtain HTML SOURCE for this page: http://gm.heroesofnewerth.com/gm_decisions.php
http://gm.heroesofnewerth.com/gm_decisions.php?&page=2
and so on.

NOTE: Do not press GET NEXT AVAILABLE TICKET!!!!
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37752687
Thanks.  I tested the page manually.  It looks like the URL redirected to something else.  Is there a logout page?
0
 

Author Comment

by:mropenmind
ID: 37752727
login itself is at error.php or index.php, then it gives a PHP session id and login details from the form are passed to login.php . logout page: http://gm.heroesofnewerth.com/logout.php
0
 

Author Comment

by:mropenmind
ID: 37752731
Once login is successful you are transferred to index.php
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 37752803
This seems to achieve the login and read the next page (line 116).  You might want to change that password now.
<?php // RAY_temp_newerth.php
error_reporting(E_ALL);
echo "<pre>";

// THE REPLACEMENTS (CASE SENSITIVE) ARE THE LOGIN CREDENTIALS FOR THE SITE
$replacements["username"] = 'username';
$replacements["password"] = 'password';

// READ THE PAGE WITH THE LOGIN FORM
$baseurl = 'http://gm.heroesofnewerth.com/';
$ch = curl_init();

// SET THE CURL OPTIONS - SEE http://php.net/manual/en/function.curl-setopt.php
curl_setopt($ch, CURLOPT_POST, FALSE);
curl_setopt($ch, CURLOPT_URL, $baseurl);
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEJAR,  'cookie.txt');
curl_setopt($ch, CURLOPT_FAILONERROR, TRUE);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_TIMEOUT, 3);

// CALL THE WEB PAGE
$htm = curl_exec($ch);
$err = curl_errno($ch);
$inf = curl_getinfo($ch);

// IF ERRORS - SEE http://curl.haxx.se/libcurl/c/libcurl-errors.html
if ($htm === FALSE)
{
    echo PHP_EOL . "CURL GET FAIL: $baseurl CURL_ERRNO=$err ";
    var_dump($inf);
    die();
}


// REMOVE THE END-OF-LINE CHARACTERS
$htm = str_replace(PHP_EOL, NULL, $htm);

// ISOLATE THE FORM
$form   = explode("<form",$htm);
$form   = explode("</form>",$form[1]);
$inputs = explode("<input",$form[0]);
$post   = "";

foreach($inputs as $key => $val)
{
    // IDENTIFY THE ACTION SCRIPT
    $action = strpos($val, "action");
    if($action !== false)
    {
        // EXTRACT THE ACTION SCRIPT NAME FROM THE FORM INPUT
        $actstart = strpos($val, "\"", $action+1);
        $actend   = strpos($val, "\"", $actstart+1);
        $posturl  = substr($val, $actstart+1, ($actend-$actstart-1));
        continue;
    }

    // IDENTIFY THE INPUT FIELDS BY NAME AND VALUE PAIRS
    $name = strpos($val, "name");
    if($name !== false)
    {
        // EXTRACT THE NAME FROM THE FORM INPUT
        $namestart = strpos($val, "\"", $name+1);
        $nameend   = strpos($val, "\"", $namestart+1);
        $strname   = substr($val, $namestart+1, ($nameend-$namestart-1));

        // EXTRACT THE VALUE
        $value = strpos($val, "value");
        if($value !== false)
        {
            $valuestart = strpos($val, "\"", $value+1);
            $valueend   = strpos($val, "\"", $valuestart+1);
            $strvalue   = substr($val, $valuestart+1, ($valueend-$valuestart-1));
        }

        // IF NO VALUE TRY TO REPLACE
        else
        {
            foreach ($replacements as $k => $v)
            {
                if ($k == $strname) $strvalue = $v;
            }
        }
        $post .= "&" . $strname . "=" . urlencode($strvalue);
    }
}

// DATA EXTRACTION COMPLETE -- WAIT A RESPECTABLE PERIOD OF TIME
sleep(1);

// DECLOP LEFTMOST AMPERSAND
$post = substr($post,1);

// SET THE LOGIN URL
$posturl = $baseurl . '/' . $posturl;

// NOW POST THE DATA WE HAVE FILLED IN
curl_setopt($ch, CURLOPT_URL, $posturl);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);

// CALL THE WEB PAGE
$xyz = curl_exec($ch);
$err = curl_errno($ch);
$inf = curl_getinfo($ch);

// IF ERRORS - SEE http://curl.haxx.se/libcurl/c/libcurl-errors.html
if ($xyz === FALSE)
{
    echo PHP_EOL . "CURL POST FAIL: $posturl CURL_ERRNO=$err ";
    var_dump($inf);
}

// NOW ON TO THE NEXT PAGE, USING THE GET METHOD
curl_setopt($ch, CURLOPT_URL, 'http://gm.heroesofnewerth.com/gm_decisions.php');
curl_setopt($ch, CURLOPT_POST, FALSE);
curl_setopt($ch, CURLOPT_POSTFIELDS, '');

$xyz = curl_exec($ch);
$err = curl_errno($ch);
$inf = curl_getinfo($ch);

// IF ERRORS - SEE http://curl.haxx.se/libcurl/c/libcurl-errors.html
if ($xyz === FALSE)
{
    echo PHP_EOL . "CURL 2ND GET FAIL: $posturl CURL_ERRNO=$err ";
    var_dump($inf);
}

// SHOW OFF THE DATA AFTER THE LOGIN
echo htmlentities($xyz);

Open in new window

0
 

Author Closing Comment

by:mropenmind
ID: 37752885
Thanks for help.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 37752922
Thanks for the points!  All the best, ~Ray
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

This article discusses four methods for overlaying images in a container on a web page
This article discusses how to create an extensible mechanism for linked drop downs.
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
The viewer will learn how to dynamically set the form action using jQuery.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now