Jump to content

cURL POST to login to a 3rd party site.


Recommended Posts

Hi guys, what I'm struggling to do is


1) Users land on https://www.mysite.com/login.php

2) Users type their email and password

3) POST data submitted to http://www.3rdparty.com/login.php with cURL

4) Users redirected to http://www.3rdparty.com/index.php (logged in).


I've been using this simple form to POST directly to the 3rd party site.


<form name="loginform" method="post" target="_blank" action="http://www.3rdparty.com/login.php">
Email <input name="email" type="text">
Password<input name="password" type="password">
<input name="submit" type="submit" id="loginbutton" value="login"></form>


This works great. But now I've installed a SSL on my site and I've just realised that using the form above, the data is still POSTed as a plain text because the 3rd party site is not https.

So I want to submit the form to my login.php form and let this form take the users to the 3rd party site. So at least the user inputs to my site is encrypted.

My new code looks like this.


<form name="loginform" method="post" target="_blank" action="login.php">
Email <input name="email" type="text">
Password<input name="password" type="password">
<input name="submit" type="submit" id="loginbutton" value="login"></form>
if(isset($_POST['email']))     $email= $_POST['email'];
if(isset($_POST['password']))   $password= $_POST['password'];
if(isset($_POST['submit']))   $submit   = $_POST['submit'];

$Curl_Session = curl_init('http://www.3rdparty.com/login.php');
curl_setopt ($Curl_Session, CURLOPT_POST, 1);
curl_setopt ($Curl_Session, CURLOPT_POSTFIELDS, "email=$email&password=$password&submit=$submit");
curl_setopt ($Curl_Session, CURLOPT_FOLLOWLOCATION, 1);
$result =  curl_exec ($Curl_Session);
curl_exec ($Curl_Session);
curl_close ($Curl_Session);

print $result;


What this code is doing now is it's just rendering the www.3rdparty.com's login page (not logged in) on my site.

When I type wrong values, it renders www.3rdparty.com's login page with an error message on it.

So I think at least the values are being POSTed but it doesn't log me in.

All of the cURL codes available out there seem to POST the data and fetch some results back not redirecting the users to another site.

My ultimate goal is to POST the form and redirect the users to the 3rd party site's member area as well.

I tried header("Location: http://www.3rdparty.com/index.php"); but it just takes user to that page without being logged in.


Could anyone give me some hints?

Link to comment
Share on other sites

you probably will not be able to accomplish this. here's why: when a browser (or your curl code) is logged in to 3rdparty.com, a cookie for the 3rdparty.com domain is set in the browser (or your code). you can't use your code to set the cookie for 3rdparty.com in the user's browser. therefore, the user's browser will not have the cookie and will not be considered logged in on 3rdparty.com.

Link to comment
Share on other sites

Thanks a lot for your reply.


Now I understood why I couldn't be logged in while I can post the data.


I found a thread of someone else who had the same issue

at http://www.webhostingtalk.com/showthread.php?t=696569


Some one there said


Send login data to remote site, and receive the response (result). You can either fopen/fget or cURL.

Extract the PHP session ID from the result and put it in a variable like $session.

Redirect the user to the remote site, with the session ID:

header("location: http://website.tld/after_succesful_login_page.php?PHPSESSID=$session")


Do you think this is possible?

Link to comment
Share on other sites

that is the only way i could think of to accomplish this. but it assumes the target site 1. will send PHPSESSID for you to use, 2. will take PHPSESSID from the URL and/or 3. is 'dumb' enough to let something like that work. it's essentially session highjacking. i don't know if apache and/or other web servers look for this stuff or not. it seems so obvious that i would expect there to be protection in place against it. a major concern is the sudden change of IP address from the server that logged in and the web browser that goes to the site afterward. also: user agent will change unless you adapt the user agent of the web browser before the login..... i am still very skeptical..

Link to comment
Share on other sites

Thanks again for your reply. I really appreciate it.


When I look at the HTTP headers, I see

Set-Cookie: PHPSESSID=2btu73afurcpm632sr9dsqpjo2; path=/


I'm not really sure how sessions work.. How do I test if the target site takes session ID from URL?

Can I type like www.3rdparty.com/index.php?PHPSESSID=2btu73afurcpm632sr9dsqpjo2 on a different browser like Chrome while I'm logged in on Firefox?


Arggggg this is driving me crazy. I got my contact mail form page secured, signup page secured using cURL, and it's going to be funny to see my login page sending plain text data lol.


What can I do if I don't have any control over the target site's security policy?

I just wanted to make it a bit safer at least at the user end.


Thanks again BlueSkyIS, hope you have a good one.

Link to comment
Share on other sites

This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.