PHP/cURL: Unable to remote login

curlPHPredirectsquirrelmail

I am trying to login to a system (which happens to be using the SquirrelMail client) using cURL and I'm having trouble.

Here is my relevant PHP code:

$handle = curl_init();

curl_setopt($handle, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($handle, CURLOPT_POST, true);
curl_setopt($handle, CURLOPT_POSTFIELDS, "login_username=myusername&secretkey=mypass&js_autodetect_results=0");

$output = curl_exec($handle);
curl_close($handle);
print $output;

And when I try running it, the page comes back with a message saying I must be logged in to access it. Digging into the this login file (redirect.php if you are familiar with SquirrelMail), I see this error comes up when the variable login_username is not defined.

Here is my curl verbose output:

* About to connect() to www.cwazy.net port 80 (#0)
*   Trying 72.18.206.197... * connected
* Connected to www.cwazy.net (72.18.206.197) port 80 (#0)
> POST /wi/sm/src/redirect.php HTTP/1.1
Host: www.cwazy.net
Accept: */*
Content-Length: 64
Content-Type: application/x-www-form-urlencoded

< HTTP/1.1 302 Found
< Date: Sun, 10 Jan 2010 06:51:34 GMT
< Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
< X-Powered-By: PHP/5.2.6-1+lenny3
< Set-Cookie: SQMSESSID=b39c5dcf6e96309ac98b08b8f4f42374; path=/wi/sm/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Set-Cookie: SQMSESSID=b39c5dcf6e96309ac98b08b8f4f42374; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=b39c5dcf6e96309ac98b08b8f4f42374; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=b39c5dcf6e96309ac98b08b8f4f42374; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=b39c5dcf6e96309ac98b08b8f4f42374; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=b39c5dcf6e96309ac98b08b8f4f42374; path=/wi/sm/; HttpOnly
< Set-Cookie: squirrelmail_language=en_US; expires=Tue, 09-Feb-2010 06:51:34 GMT; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: key=S9ZRyTL%2B; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618; path=/wi/sm/; HttpOnly
< Location: webmail.php
< Content-Length: 0
< Content-Type: text/html; charset=iso-8859-1
< 
* Connection #0 to host www.cwazy.net left intact
* Issue another request to this URL: 'http://www.cwazy.net/wi/sm/src/webmail.php'
* Violate RFC 2616/10.3.3 and switch from POST to GET
* Re-using existing connection! (#0) with host www.cwazy.net
* Connected to www.cwazy.net (72.18.206.197) port 80 (#0)
> GET /wi/sm/src/webmail.php HTTP/1.1
Host: www.cwazy.net
Accept: */*

< HTTP/1.1 200 OK
< Date: Sun, 10 Jan 2010 06:51:40 GMT
< Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
< X-Powered-By: PHP/5.2.6-1+lenny3
< Set-Cookie: SQMSESSID=a6e32d5f2bd7a2ccca51edd2aa4ea143; path=/wi/sm/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Set-Cookie: SQMSESSID=a6e32d5f2bd7a2ccca51edd2aa4ea143; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=a6e32d5f2bd7a2ccca51edd2aa4ea143; path=/wi/sm/; HttpOnly
< Set-Cookie: SQMSESSID=a6e32d5f2bd7a2ccca51edd2aa4ea143; path=/wi/sm/; HttpOnly
< Content-Length: 1154
< Content-Type: text/html; charset=iso-8859-1
< 
* Connection #0 to host www.cwazy.net left intact
* Closing connection #0

Any ideas?

Best Answer

the initial POST returns the cookie:

Set-Cookie: SQMSESSID=6d70837e874750f37df81f0aaaa48618

but this cookie is not sent by the client on the next GET request. sm doesn't see any session and tries to create a new one with a new id:

Set-Cookie: SQMSESSID=a6e32d5f2bd7a2ccca51edd2aa4ea143

to fix this you can tell curl to store cookies:

curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');

and you may need to disable CURLOPT_FOLLOWLOCATION, and just request webmail.php in a second call to curl (using the same cookie jar with the authenticated session).