homepage Welcome to WebmasterWorld Guest from 54.161.197.188
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Can't get the .ASPXAUTH cookie value for login with PHP cURL
richelectron




msg:4236874
 3:27 pm on Nov 30, 2010 (gmt 0)

Hi All

I'm almost 100% sure I have ready every post on the internet that contains the keywords asp login curl php .ASPXAUTH, but I have been unable to find a solution. I am more of a code hacker than elegant developer though, so I hope that someone can help me please.

I have a curl script that logs in to two other websites to submit forms from behind the login successfully. However, I've recently tried to use a variation of this script for a third website. It works as far as returning the first page after login but then it treats any further cURL calls as if I haven't logged in. I discovered (well I think) that it's to do with the .ASPXAUTH cookie not being set. I do have a cookiefile and cookiejar setup in my cURL code and it catches the .ASP.NET_SessionID successfully, but not the .ASPXAUTH cookie.

I noticed that I can see the .ASPXAUTH cookie value in the headers when I watch "Live HTTP headers" but I can't get my cURL script to return the header with this set-cookie very easily. It seems that the cookie is set on a 302 after login and cURL is not handling this correctly. So I turned off CURLOPT_FOLLOWLOCATION and was trying to handle the redirect myself but I still can't get it right (the server returns a really strange redirect url and I don't think I'm doing this part right)

But I would be very grateful if someone could please help me...

Here is my code:

//setup Curl
$cookiename = substr($from,4,5);
$cookiefile = $cookiename . ".txt";
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (Windows; MSIE 6.0; U; Windows NT 5.1)");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiefile);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiefile);

//read login page
curl_setopt($ch, CURLOPT_URL, "Login.aspx");
$result = curl_exec ($ch);

echo $result;



// extract values for hidden form fields __REQUESTDIGEST __VIEWSTATE __EVENTVALIDATION fields

//extract __REQUESTDIGEST
$start = strpos($result,"id=\"__REQUESTDIGEST\" value=\"") + 28;
$end = $start + 157;
$rdigest = substr($result , $start , $end - $start );

//extract __VIEWSTATE
$start = strpos($result,"id=\"__VIEWSTATE\" value=\"") + 24;
$end = $start + 16300;
$vstate = substr($result , $start , $end - $start );
$vstate = urlencode($vstate);

//extract __EVENTVALIDATION
$start = strpos($result,"id=\"__EVENTVALIDATION\" value=\"") + 30;
$end = $start + 120;
$event = substr($result , $start , $end - $start );
$event = urlencode($event);


//set login form values and login

//curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_REFERER, 'Login.aspx');
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, '__REQUESTDIGEST=' . $rdigest . '&__VIEWSTATE=' . $vstate . '&__EVENTVALIDATION=' . $event . '&UserName=' . $from . '&Password=' . $password);
$result = curl_exec ($ch);

echo $result;

//extract __redirect
$start = strpos($result,"Location:") + 10;
$end = strpos($result,".aspx") +5;
$redirect = substr($result , $start , $end - $start );
$redirect = "https://www.domain.com/" . $redirect;

echo $redirect ."<br /><br />";

echo $result;

curl_setopt($ch, CURLOPT_URL, $redirect);
$result = curl_exec ($ch);

echo $result;


And here is the output:

//Login page headers
HTTP/1.1 200 OK Date: Tue, 30 Nov 2010 12:57:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 81835
//Login page body

Submit login page headers
HTTP/1.1 100 Continue HTTP/1.1 302 Found Date: Tue, 30 Nov 2010 13:40:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: /(F(RZPDiDBb9OPbTuBnj2RAgH8KglRdj4B4u8trRMpa6QbBjff4evKMtHnOFNyX046Xdr33PZA3-6dHoZjxQpeZ7aNTevF75gArtpeScCjE9fI1))/default.aspx Set-Cookie: ASP.NET_SessionId=bhugr045cyybck45xvhpeb55; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 82196


//Redirect page body

//The login page body is displayed again

//More headers
HTTP/1.1 100 Continue HTTP/1.1 500 Internal Server Error Date: Tue, 30 Nov 2010 13:29:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 3026

//Error message from server
Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

 

coopster




msg:4242689
 3:39 pm on Dec 15, 2010 (gmt 0)

CURLOPT_FOLLOWLOCATION needs to be on to follow redirects, but the only issue I can think of off hand would be if you have any CURLOPT_MAXREDIRS set.

Also, there may be a clue in your last error message, try the server logs and/or the OS logs for an exact issue.

Just some thoughts ...

wildbest




msg:4242718
 4:57 pm on Dec 15, 2010 (gmt 0)

$cookiename = substr($from,4,5);

I don't see what's the input string that $form is equal to?

richelectron




msg:4242726
 5:08 pm on Dec 15, 2010 (gmt 0)

Thanks for the response guys. @wildbeest - $from is the username they login with. I've made the cookie name a substring of it so that I'm not storing complete data on the server.

@coopster I know followlocation needs to be on for redirects but the cookie is not set when its on... So I was trying to do the redirect manually so that I can process the headers manually. That's where I am having trouble though. Where should I look in the server logs and what should I look for?

Thanks again

wildbest




msg:4242754
 6:13 pm on Dec 15, 2010 (gmt 0)

richelectron, is that the entire code or just extracts of it?

richelectron




msg:4242767
 6:32 pm on Dec 15, 2010 (gmt 0)

Wildbeest, it's a code extract...

I've used it for other purposes and it works. But the aspxauth cookie value is not being set for the new asp website I'm trying to get in to when I use automatic redirection with followlocation set to true. I set it to off to try and handle the redirect (and hopefully capture the cookie value from the headers) manually but I'm still having no luck. I can see the cookie in live http headers but its not showing up in the curl headers?

wildbest




msg:4242785
 7:08 pm on Dec 15, 2010 (gmt 0)

it's a code extract...

Is this one extract or many? I don't think there is much chance someone can help you if they have to guess what's between the pieces of the code you've posted.

coopster




msg:4242820
 8:12 pm on Dec 15, 2010 (gmt 0)

You aren't closing the connection somewhere in between the calls (exec), are you?

richelectron




msg:4242902
 11:22 pm on Dec 15, 2010 (gmt 0)

Its just the one complete code extract with the header data it generates. I don't think I'm closing the connection before I intend to. To reiterate - the asp session cookie gets set correctly in the cURL cookie jar but the aspxauth cookie does not. I don't understand why not and I am failing dismally at following the page headers to execute the redirects manually. I was hoping to read the aspxauth cookie directly from the headers to set it manually. But I can't seem to get to the point where I can retrieve it. Apologies for the brief replies but I'm away from home for a while and trying to reply from a mobile device... I really appreciate the feedback rhough.

wildbest




msg:4243080
 11:57 am on Dec 16, 2010 (gmt 0)

Its just the one complete code extract with the header data it generates.

Okay, then there are several issues you might want to look into, including the following:

1. As coopster said CURLOPT_FOLLOWLOCATION needs to be on to follow redirects. Check your CURLOPT_MAXREDIRS default value.

2. I don't see how do you actually create $cookiefile. Be careful how you handle the open/read/write/close permissions. By using CURLOPT_COOKIEFILE you actually activate the curl cookie parser and curl will automatically handle all cookies in a single curl transaction WITHOUT such a file even exists! This is why your code might have worked with other websites, but is generating an error with this one.

3. It's possible to use multiple instances of CURLOPT_URL in one curl_exec transaction (as your case might be). However, curl's persistent connection capability can be used if ONLY all the URLs are on the same host! If you have a redirect for your second (PUT) request, I'm afraid, you have to use more than one curl_exec/curl_close transaction and store the cookies in between.

4. To collect cookies received with your first (GET) request, set the CURLOPT_COOKIEJAR. Then use CURLOPT_COOKIEFILE in your second (PUT) curl transaction to recall them. But along with CURLOPT_POSTFIELDS you must use CURLOPT_POST. This is why you should uncomment [//curl_setopt($ch, CURLOPT_POST, true);].

5. The use of "Login.aspx" both in CURLOPT_URL and CURLOPT_REFERER can be an issue, although I'm not 100% sure.

6. Depending on configuration of the website under question and use of doPostBack functions, the use of CURLOPT_HTTPHEADER may be needed. You have to figure out what headers browser must send and create the respective array to be sent along with the PUT request.

Let us know if that helps and if it does, please post a working example of your code here.

richelectron




msg:4243152
 3:51 pm on Dec 16, 2010 (gmt 0)

Thanks again wildbest, ill give it another go when I'm back at my pc again and will let you know if I get any further...

richelectron




msg:4250287
 2:59 pm on Jan 7, 2011 (gmt 0)

1. As coopster said CURLOPT_FOLLOWLOCATION needs to be on to follow redirects. Check your CURLOPT_MAXREDIRS default value.

Okay, I've reverted to try and do this the automatic way. I did discover that I wasn't always getting in successfully because one of the hidden form fields was varying in length as well. And I had hard coded the length before, so I am managing to get the first page to load 100% of the time now.

2. I don't see how do you actually create $cookiefile. Be careful how you handle the open/read/write/close permissions. By using CURLOPT_COOKIEFILE you actually activate the curl cookie parser and curl will automatically handle all cookies in a single curl transaction WITHOUT such a file even exists! This is why your code might have worked with other websites, but is generating an error with this one.

For the purposes of testing I have hardcoded a cookiefile path and checked that it is being written to successfully.


3. It's possible to use multiple instances of CURLOPT_URL in one curl_exec transaction (as your case might be). However, curl's persistent connection capability can be used if ONLY all the URLs are on the same host! If you have a redirect for your second (PUT) request, I'm afraid, you have to use more than one curl_exec/curl_close transaction and store the cookies in between.

All of the URLS are on the same host.

4. To collect cookies received with your first (GET) request, set the CURLOPT_COOKIEJAR. Then use CURLOPT_COOKIEFILE in your second (PUT) curl transaction to recall them. But along with CURLOPT_POSTFIELDS you must use CURLOPT_POST. This is why you should uncomment [//curl_setopt($ch, CURLOPT_POST, true);].

I have enabled CURLOPT_POST

5. The use of "Login.aspx" both in CURLOPT_URL and CURLOPT_REFERER can be an issue, although I'm not 100% sure.

I've removed this referer value as well

6. Depending on configuration of the website under question and use of doPostBack functions, the use of CURLOPT_HTTPHEADER may be needed. You have to figure out what headers browser must send and create the respective array to be sent along with the PUT request.

Please could you possibly elaborate a bit more on this last point? Thanks.

Update: the initial page will load once I login, but if I try to navigate to any other pages then it prompts me for login again. I can see that the ASP.NET_SessionId cookie variable is being set automatically in my cookie file. But .ASPXAUTH is still not being picked up. Somehow I need to get this value, but I can't see it in the curl headers that are returned by default. The ASP.NET_SessionId Cookie value does show up in the headers though.

richelectron




msg:4252228
 6:23 am on Jan 12, 2011 (gmt 0)

Wildbest, I dug into your headers tip a little more and updated my useragent line to a different user agent and suddenly the .ASPXAUTH cookie was set correctly (and automatically) in the cookie file :)

In otherwords I changed this line:

curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (Windows; MSIE 6.0; U; Windows NT 5.1)");

to this:

curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729)");

And now both cookies are set automatically by curl - no problem.

Hooray!

wildbest




msg:4252238
 7:49 am on Jan 12, 2011 (gmt 0)

In otherwords I changed this line:

curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (Windows; MSIE 6.0; U; Windows NT 5.1)");

Obviously, this user agent string is blacklisted by the website you're trying to access. I'm glad it's okay now.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved