I'm trying to simulate a POST to a website based on what I see coming from Live HTTP headers in Firefox.
Here's a copy/paste of the log from the Firefox plugin:
POST /context?tab=login HTTP/1.1
Host: website
User-Agent:
Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.9.2.13) Gecko/20101206
Ubuntu/10.10 (maverick)
Firefox/3.6.13
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection:
keep-alive
Referer: referer
Cookie: fontsize=2;
JSESSIONID=0000pXE_BK7TjZFzEyNHqOKzXz2:-1
Content-Type:
application/x-www-form-urlencoded
Content-Length: 46
loginid=password&password=password&login=Login
And the response that follows immediately after the POST:
HTTP/1.1 302 Found
Location:
website/context?tab=p00689
Content-Language: en-US
Set-Cookie:
JSESSIONID=0000oaKlIeeDRWkX5YCiJu5v1lM:-1;
Path=/
Transfer-Encoding:
chunked
Date: Mon, 07 Feb 2011
14:15:21 GMT
Server: WebSphere
Application Server/6.1
Expires:
Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie,
set-cookie2"
Based on my testing, a response that redirects to
website/context?tab=p00689
Means that the user was authenticated and everything worked properly.
However, when trying to accomplish this via PHP & cURL, I'm being redirected to a page that informs the user that their session has timed out.
Here's the code:
// Provider only likes Firefox
$agent = "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13";
ini_set("user_agent", $agent);
// Cookie
$cookie = tempnam("/tmp", "curlcookie");
// Post everything that was posted to me.
$fields = $_POST;
foreach($fields as $key=>$value)
{
$fields_string .= "$key=$value&";
}
$fields_string = substr($fields_string, 0, strlen($fields_string) - 1);
// Custom headers
$headers = array(
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language: en-us,en;q=0.5",
"Accept-Encoding: gzip,deflate",
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7",
"Keep-Alive: 115",
"Connection: keep-alive");
// cURL options
$ch = curl_init("website");
curl_setopt($ch, CURLOPT_REFERER, "referer");
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_MAXREDIRS, 1);
curl_setopt($ch, CURLINFO_HEADER_OUT, true);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
$output = curl_exec($ch);
$header = curl_getinfo($ch);
curl_close($ch);
// Debugging junk
echo nl2br($header["request_header"]);
echo "<br/><br/>Output:<br/><br/>$output";
The output from that script is as follows:
POST /context?tab=login HTTP/1.1
User-Agent: User-Agent: Mozilla/5.0
(X11; U; Linux i686; en-US;
rv:1.9.2.13) Gecko/20101206
Ubuntu/10.10 (maverick)
Firefox/3.6.13
Host: website
Pragma: no-cache
Referer:
referer
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset:
ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection:
keep-alive
Content-Length:
46
Content-Type:
application/x-www-form-urlencodedloginid=username&password=password&login=Login
Output:
HTTP/1.1 302
Found
Location:website/context?tab=p00697
Content-Language: en-US Set-Cookie:
JSESSIONID=0000Tl8NL1Hg2dbNv_PEnq-bbvr:-1;
Path=/ Set-Cookie:
JSESSIONID=0000Zue58y1tXg3tt4XjB8exXw6:-1;
Path=/ Transfer-Encoding: chunked
Date: Mon, 07 Feb 2011 19:18:20 GMT
Server: WebSphere Application
Server/6.1 Expires: Thu, 01 Dec 1994
16:00:00 GMT Cache-Control:
no-cache="set-cookie,
set-cookie2"
Based on what I've posted, is there anything obvious that I'm missing? What should I try next? The requests look semantically the same; I'm not sure what I could be doing incorrectly.
Best Answer
The one thing that stands out is the following line of code:
Now if this fails to create the file then
tempnam
would return false, meaning that the following lines of code:are as good as not being set at all, you should keep the cookie file within the same directory as the executing script.
the next thing is:
You do not need to do this as
CURLOPT_POSTFIELDS
accepts an array so you should be able to do:This will make sure that the entities are correctly parsed.
I also think you can remove the
ini_set
as that's for native functions such asfile_get_contents
andfopen
streams etc, so double check the line:Also I would check to see if there is a cookie already set from the main page, such as index.php as the site may block requests from sources that have come directly to the login page with data.