Logging in to another site with PHP+curl

PHP
1

I am trying to implement a new feature: the user of a PHP based site clicks on a link and is logged in into Perl based site. The logging in process itself works flawlessly. However, once I am in the Perl based site, once I click on any link, it asks me to log in again.

Upon further investigation. The code doesn’t set cookies.


    $username="john_smith";
    $password="tOpsecret";
    $url="https://somesite.com/login.html";
    $cookiefile='/tmp/MasonX-Request-WithApacheSession-cookie';

    $postdata = "mysite_username=".$username."&mysite_password=".$password;

    $ch = curl_init();
    curl_setopt ($ch, CURLOPT_URL, $url);
    curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6");
    curl_setopt ($ch, CURLOPT_TIMEOUT, 60);
    curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURL_COOKIEFILE, '');//dl
    curl_setopt ($ch, CURLOPT_COOKIEJAR, $cookiefile);
    curl_setopt ($ch, CURLOPT_COOKIEFILE, $cookiefile);
    curl_setopt ($ch, CURLOPT_REFERER, "https://whatsdown.nyi.net/news/");
    curl_setopt ($ch, CURLOPT_POSTFIELDS, $postdata);
    curl_setopt ($ch, CURLOPT_POST, 1);
    $result = curl_exec ($ch);
    $result = preg_replace("/<head>/i", "<head><base href='https://somesite.com/' />", $result, 1);
    echo $result;

Interestingly, the cookie does appear in the /tmp directory, but my browser says no cookies were set by the site. What is wrong, could someone help?

2

Is it possible that the Perl site is doing a redirect without you being conscious of it?

Try this tool, Firefox plug/addon called LiveHTTPHeaders.

Login as normal using FF with this feature switched on and watch the ensuing headers very carefully, essentially, it is that which you have to emulate with your cURL call (well, all the key information anyhow).

I could well be wrong but it could be a case of setting CURLOPT_MAXREDIRS if you detect redirects are happening.

3

Here’s my guess on what’s happening. From the code you supplied it seems like:

  • You make a Curl request to a remote server passing along the username and password.
  • The credentials are accepted by the remote webserver. A cookie is set on by the remote server in your cookie jar on your webserver.
  • You then echo out the remote site’s html to the user after doing some fiddling with the base href.
  • You then attempt to click a link in the html that was spit out from the remote site by your curl request.

If that’s true, I would guess that it’s asking you to log in again because the login cookie for your remote session was set on your webserver, not your browser.

4

Yeah, you are right. I see the cookie on the server in the /tmp directory, but not in the browser (tried both Chrome and Firefox). Why is that?

5

Cups: right when I am logged into the Perl site with curl, I don’t see the session cookie set. Isn’t it a problem with cookies? However, I can’t figure out why curl is not passing the cookie to the browser.

6

Because thats not what CURL does.

Curl makes a connection from the webserver to the other webserver. Thats it.

If you want to pass cookies to the browser, you’ll need to setcookie them.