Beat Juggler Posted November 12, 2007 Share Posted November 12, 2007 Hi! I'm trying to write a script that should login to the remote server. I wrote the script that I included below, but when I run it, I receive a page with the login form again, and I expect to see the page that appears right after the login. In other words, the script doesn't work properly, the remote server doesn't let me in. The remote server is not secure (no https) and I suppose they have no any kind of protection against the automated parsing, I'm not intruding the bank, and I suppose that the error is somewhere in the script, or I need to include some additional params in the CURL request. I'm new to CURL, so I have 4 questions, and I would really appreciate if someone could provide some help or info. 1) The remote server uses redirect. When I login normally through the web browser, in my IE address bar I don't get the url of the script that is in the form action tag. In other words, in the post form I have form method="post" action="some_url", and when login is successful, I see http://someserver.com/another_url in the browser. Question: Is it possible that my CURL script below has no params for processing this redirect properly? 2) The remote server is created in jsp probably (it writes JSESSIONID). Question: Is it possible that there are some special settings for pages in jsp, or jsp cookies/sessions are not properly passed? 3) Authentication Question: Maybe I need to set CURLOPT_HTTPAUTH or something? I tried to set curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY); but it didn't help. 4) Protection Question: Is there any way the server could detect that I'm using CURL? Maybe there is some HTTP header string attached or something? May this be because of some specific CURL lib version? So the script: <?php $cookie_file = "/home/www/myhost/cookies.txt"; $page_link = "http://server3.sampleserver.com/go.cmd/login"; $fp = fopen('verbose.txt', 'w+'); fwrite($fp, date('Y-m-d H:i:s')."\n\n"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$page_link"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_VERBOSE, 1); curl_setopt($ch, CURLOPT_STDERR, $fp); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "login=12345&password=56789"); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_NOBODY, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_REFERER, "http://www.sampleserver.com/"); curl_setopt($ch, CURLOPT_USERAGENT, "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT)"); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file); $page_content = curl_exec($ch); if(curl_errno($ch)) { print "CURL error " . curl_errno($ch); exit; } curl_close($ch); flush(); print $page_content; exit; ?> Verbose log: 2007-11-12 16:45:14 * About to connect() to server3.sampleserver.com port 80 * Trying XXX.XXX.XXX.XXX... * connected * Connected to server3.sampleserver.com (XXX.XXX.XXX.XXX) port 80 > POST /go.cmd/login HTTP/1.1 User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT) Host: server3.sampleserver.com Pragma: no-cache Accept: */* Referer: http://www.sampleserver.com Content-Length: 87 Content-Type: application/x-www-form-urlencoded login=12345&password=56789< HTTP/1.1 200 OK < Server: Resin/2.1.16 < Vary: Accept-Encoding * Replaced cookie JSESSIONID="none" for domain sampleserver.com, path /, expire 786297600 < Set-Cookie: JSESSIONID=none; domain=.sampleserver.com; path=/; expires=Thu, 01-Dec-1994 16:00:00 GMT < Content-Type: text/html;charset=UTF-8 < Transfer-Encoding: chunked < Date: Mon, 12 Nov 2007 13:45:14 GMT * Connection #0 to host server3.sampleserver.com left intact * Closing connection #0 Log ended and... Thank you! Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted November 12, 2007 Share Posted November 12, 2007 One thing that stands out immediately to me (perhaps only because i made the same mistake, and spent ages looking for it!) is that in your postfields, you do not set the value of the submit button. You should have something like "login=12345&password=56789&submitbuttonname=submitbuttonvalue" Imagine that the site you are accessing is written in PHP: <?php if(!isset($_POST['submit']){ //redirect to form page }else{ //process form } ?> This could explain why you are being sent back to the login page. Otherwise, i suggest you get firefox, and the live HTTP headers extension which is very useful for finding out exactly what is being passed to the host. Quote Link to comment Share on other sites More sharing options...
aschk Posted November 12, 2007 Share Posted November 12, 2007 Look at the source of the page you are sending to , and find what input fields they are using and their EXACT names. Also bear in mind that some sites may use a SESSION identifier either in the form or otherwise to make sure the session hasn't changed and the invisible value (maybe a hidden field) has been posted also. Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted November 12, 2007 Share Posted November 12, 2007 Indeed. As i say, using firefox with the live HTTP headers extension makes that sort of thing much easier to spot. Quote Link to comment Share on other sites More sharing options...
Beat Juggler Posted November 12, 2007 Author Share Posted November 12, 2007 Thank you all for your answers! Concerning the form fields and submit buttons, yes, that is right, I actually pass the fields correctly with submit button also, I just skipped it in the example, I have checked this part several times. Besides, as you can see in the log, the login page that I get in return to my CURL request clears JSESSIONID, and if I click login button on it in my web browser (when I get it from CURL), I get inside correctly. This probably means that there's no initial session id, and it is not transferred in the form fields... Could you please give me link to the live HTTP headers extension for fire fox? Is it this one: https://addons.mozilla.org/en-US/firefox/addon/3829 I feel that maybe error is still somewhere in the parameters of the CURL... Have anyone ever used CURL to login to the jsp system with redirect? Do you think I set CURLOPT params correctly? Is it possible to detect CURL access somehow? I also checked the homepage of the remote server, it doesn't set any session ids. Some systems may require this, so that you first curl the homepage to set session, and only then you try to login. This is not this case, so I think I can login directly through the form with epmty initial cookie file, but it still not working.... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.