1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 8:42 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Can't get the .ASPXAUTH cookie value for login with PHP cURL

         

richelectron

3:27 pm on Nov 30, 2010 (gmt 0)

10+ Year Member



Hi All

I'm almost 100% sure I have ready every post on the internet that contains the keywords asp login curl php .ASPXAUTH, but I have been unable to find a solution. I am more of a code hacker than elegant developer though, so I hope that someone can help me please.

I have a curl script that logs in to two other websites to submit forms from behind the login successfully. However, I've recently tried to use a variation of this script for a third website. It works as far as returning the first page after login but then it treats any further cURL calls as if I haven't logged in. I discovered (well I think) that it's to do with the .ASPXAUTH cookie not being set. I do have a cookiefile and cookiejar setup in my cURL code and it catches the .ASP.NET_SessionID successfully, but not the .ASPXAUTH cookie.

I noticed that I can see the .ASPXAUTH cookie value in the headers when I watch "Live HTTP headers" but I can't get my cURL script to return the header with this set-cookie very easily. It seems that the cookie is set on a 302 after login and cURL is not handling this correctly. So I turned off CURLOPT_FOLLOWLOCATION and was trying to handle the redirect myself but I still can't get it right (the server returns a really strange redirect url and I don't think I'm doing this part right)

But I would be very grateful if someone could please help me...

Here is my code: 

//setup Curl
 $cookiename = substr($from,4,5);
 $cookiefile = $cookiename . ".txt";
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
 curl_setopt($ch, CURLOPT_HEADER, 1); 
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (Windows; MSIE 6.0; U; Windows NT 5.1)");
 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
 curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiefile);
 curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiefile);

 //read login page
 curl_setopt($ch, CURLOPT_URL, "Login.aspx"); 
 $result = curl_exec ($ch);

 echo $result;



 // extract values for hidden form fields __REQUESTDIGEST __VIEWSTATE __EVENTVALIDATION fields

 //extract __REQUESTDIGEST
 $start = strpos($result,"id=\"__REQUESTDIGEST\" value=\"") + 28;
 $end = $start + 157;
 $rdigest = substr($result , $start , $end - $start );

 //extract __VIEWSTATE
 $start = strpos($result,"id=\"__VIEWSTATE\" value=\"") + 24;
 $end = $start + 16300;
 $vstate = substr($result , $start , $end - $start );
 $vstate = urlencode($vstate);

 //extract __EVENTVALIDATION
 $start = strpos($result,"id=\"__EVENTVALIDATION\" value=\"") + 30;
 $end = $start + 120;
 $event = substr($result , $start , $end - $start );
 $event = urlencode($event);


 //set login form values and login

 //curl_setopt($ch, CURLOPT_POST, true);
 curl_setopt($ch, CURLOPT_REFERER, 'Login.aspx');
 curl_setopt($ch, CURLOPT_HEADER, 1);
 curl_setopt($ch, CURLOPT_POSTFIELDS, '__REQUESTDIGEST=' . $rdigest . '&__VIEWSTATE=' . $vstate . '&__EVENTVALIDATION=' . $event . '&UserName=' . $from . '&Password=' . $password);
 $result = curl_exec ($ch);

 echo $result;

 //extract __redirect
 $start = strpos($result,"Location:") + 10;
 $end = strpos($result,".aspx") +5;
 $redirect = substr($result , $start , $end - $start );
    $redirect = "https://www.domain.com/" . $redirect;

 echo $redirect ."<br /><br />";

 echo $result;

 curl_setopt($ch, CURLOPT_URL, $redirect);
 $result = curl_exec ($ch);

 echo $result;


And here is the output:

//Login page headers
HTTP/1.1 200 OK Date: Tue, 30 Nov 2010 12:57:09 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 81835
//Login page body

Submit login page headers
HTTP/1.1 100 Continue HTTP/1.1 302 Found Date: Tue, 30 Nov 2010 13:40:30 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Location: /(F(RZPDiDBb9OPbTuBnj2RAgH8KglRdj4B4u8trRMpa6QbBjff4evKMtHnOFNyX046Xdr33PZA3-6dHoZjxQpeZ7aNTevF75gArtpeScCjE9fI1))/default.aspx Set-Cookie: ASP.NET_SessionId=bhugr045cyybck45xvhpeb55; path=/; HttpOnly Cache-Control: no-cache Pragma: no-cache Expires: -1 Content-Type: text/html; charset=utf-8 Content-Length: 82196


//Redirect page body

//The login page body is displayed again

//More headers
HTTP/1.1 100 Continue HTTP/1.1 500 Internal Server Error Date: Tue, 30 Nov 2010 13:29:05 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 Cache-Control: private Content-Type: text/html; charset=utf-8 Content-Length: 3026

//Error message from server
Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

coopster

3:39 pm on Dec 15, 2010 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



CURLOPT_FOLLOWLOCATION needs to be on to follow redirects, but the only issue I can think of off hand would be if you have any CURLOPT_MAXREDIRS set.

Also, there may be a clue in your last error message, try the server logs and/or the OS logs for an exact issue.

Just some thoughts ...

wildbest

4:57 pm on Dec 15, 2010 (gmt 0)

10+ Year Member



$cookiename = substr($from,4,5);

I don't see what's the input string that $form is equal to?

richelectron

5:08 pm on Dec 15, 2010 (gmt 0)

10+ Year Member



Thanks for the response guys. @wildbeest - $from is the username they login with. I've made the cookie name a substring of it so that I'm not storing complete data on the server.

@coopster I know followlocation needs to be on for redirects but the cookie is not set when its on... So I was trying to do the redirect manually so that I can process the headers manually. That's where I am having trouble though. Where should I look in the server logs and what should I look for?

Thanks again

wildbest

6:13 pm on Dec 15, 2010 (gmt 0)

10+ Year Member



richelectron, is that the entire code or just extracts of it?

richelectron

6:32 pm on Dec 15, 2010 (gmt 0)

10+ Year Member



Wildbeest, it's a code extract...

I've used it for other purposes and it works. But the aspxauth cookie value is not being set for the new asp website I'm trying to get in to when I use automatic redirection with followlocation set to true. I set it to off to try and handle the redirect (and hopefully capture the cookie value from the headers) manually but I'm still having no luck. I can see the cookie in live http headers but its not showing up in the curl headers?

wildbest

7:08 pm on Dec 15, 2010 (gmt 0)

10+ Year Member



it's a code extract...

Is this one extract or many? I don't think there is much chance someone can help you if they have to guess what's between the pieces of the code you've posted.

coopster

8:12 pm on Dec 15, 2010 (gmt 0)

WebmasterWorld Administrator 10+ Year Member



You aren't closing the connection somewhere in between the calls (exec), are you?

richelectron

11:22 pm on Dec 15, 2010 (gmt 0)

10+ Year Member



Its just the one complete code extract with the header data it generates. I don't think I'm closing the connection before I intend to. To reiterate - the asp session cookie gets set correctly in the cURL cookie jar but the aspxauth cookie does not. I don't understand why not and I am failing dismally at following the page headers to execute the redirects manually. I was hoping to read the aspxauth cookie directly from the headers to set it manually. But I can't seem to get to the point where I can retrieve it. Apologies for the brief replies but I'm away from home for a while and trying to reply from a mobile device... I really appreciate the feedback rhough.

wildbest

11:57 am on Dec 16, 2010 (gmt 0)

10+ Year Member



Its just the one complete code extract with the header data it generates.

Okay, then there are several issues you might want to look into, including the following:

1. As coopster said CURLOPT_FOLLOWLOCATION needs to be on to follow redirects. Check your CURLOPT_MAXREDIRS default value.

2. I don't see how do you actually create $cookiefile. Be careful how you handle the open/read/write/close permissions. By using CURLOPT_COOKIEFILE you actually activate the curl cookie parser and curl will automatically handle all cookies in a single curl transaction WITHOUT such a file even exists! This is why your code might have worked with other websites, but is generating an error with this one.

3. It's possible to use multiple instances of CURLOPT_URL in one curl_exec transaction (as your case might be). However, curl's persistent connection capability can be used if ONLY all the URLs are on the same host! If you have a redirect for your second (PUT) request, I'm afraid, you have to use more than one curl_exec/curl_close transaction and store the cookies in between.

4. To collect cookies received with your first (GET) request, set the CURLOPT_COOKIEJAR. Then use CURLOPT_COOKIEFILE in your second (PUT) curl transaction to recall them. But along with CURLOPT_POSTFIELDS you must use CURLOPT_POST. This is why you should uncomment [//curl_setopt($ch, CURLOPT_POST, true);].

5. The use of "Login.aspx" both in CURLOPT_URL and CURLOPT_REFERER can be an issue, although I'm not 100% sure.

6. Depending on configuration of the website under question and use of doPostBack functions, the use of CURLOPT_HTTPHEADER may be needed. You have to figure out what headers browser must send and create the respective array to be sent along with the PUT request.

Let us know if that helps and if it does, please post a working example of your code here.

richelectron

3:51 pm on Dec 16, 2010 (gmt 0)

10+ Year Member



Thanks again wildbest, ill give it another go when I'm back at my pc again and will let you know if I get any further...

richelectron

2:59 pm on Jan 7, 2011 (gmt 0)

10+ Year Member



1. As coopster said CURLOPT_FOLLOWLOCATION needs to be on to follow redirects. Check your CURLOPT_MAXREDIRS default value.

Okay, I've reverted to try and do this the automatic way. I did discover that I wasn't always getting in successfully because one of the hidden form fields was varying in length as well. And I had hard coded the length before, so I am managing to get the first page to load 100% of the time now.

2. I don't see how do you actually create $cookiefile. Be careful how you handle the open/read/write/close permissions. By using CURLOPT_COOKIEFILE you actually activate the curl cookie parser and curl will automatically handle all cookies in a single curl transaction WITHOUT such a file even exists! This is why your code might have worked with other websites, but is generating an error with this one.

For the purposes of testing I have hardcoded a cookiefile path and checked that it is being written to successfully.


3. It's possible to use multiple instances of CURLOPT_URL in one curl_exec transaction (as your case might be). However, curl's persistent connection capability can be used if ONLY all the URLs are on the same host! If you have a redirect for your second (PUT) request, I'm afraid, you have to use more than one curl_exec/curl_close transaction and store the cookies in between.

All of the URLS are on the same host.

4. To collect cookies received with your first (GET) request, set the CURLOPT_COOKIEJAR. Then use CURLOPT_COOKIEFILE in your second (PUT) curl transaction to recall them. But along with CURLOPT_POSTFIELDS you must use CURLOPT_POST. This is why you should uncomment [//curl_setopt($ch, CURLOPT_POST, true);].

I have enabled CURLOPT_POST

5. The use of "Login.aspx" both in CURLOPT_URL and CURLOPT_REFERER can be an issue, although I'm not 100% sure.

I've removed this referer value as well

6. Depending on configuration of the website under question and use of doPostBack functions, the use of CURLOPT_HTTPHEADER may be needed. You have to figure out what headers browser must send and create the respective array to be sent along with the PUT request.

Please could you possibly elaborate a bit more on this last point? Thanks.

Update: the initial page will load once I login, but if I try to navigate to any other pages then it prompts me for login again. I can see that the ASP.NET_SessionId cookie variable is being set automatically in my cookie file. But .ASPXAUTH is still not being picked up. Somehow I need to get this value, but I can't see it in the curl headers that are returned by default. The ASP.NET_SessionId Cookie value does show up in the headers though.

richelectron

6:23 am on Jan 12, 2011 (gmt 0)

10+ Year Member



Wildbest, I dug into your headers tip a little more and updated my useragent line to a different user agent and suddenly the .ASPXAUTH cookie was set correctly (and automatically) in the cookie file :)

In otherwords I changed this line:

curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (Windows; MSIE 6.0; U; Windows NT 5.1)");

to this:

curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 ( .NET CLR 3.5.30729)");

And now both cookies are set automatically by curl - no problem.

Hooray!

wildbest

7:49 am on Jan 12, 2011 (gmt 0)

10+ Year Member



In otherwords I changed this line:

curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (Windows; MSIE 6.0; U; Windows NT 5.1)");

Obviously, this user agent string is blacklisted by the website you're trying to access. I'm glad it's okay now.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 8:42 am Apr 28, 2026