Page 1 of 1

session cookies and cURL

Posted: Tue Aug 05, 2008 5:33 pm
by gkh01
I have a function "Redirect", as shown below (comments and error-checking removed for brevity):

From what I could glean off the web, I thought that setting the CURLOPT_COOKIEJAR and CURLOPT_COOKIEFILE options as I have done would make the current session cookie available in the target page. But it is not, and nothing appears to be written to curl_cookies.txt. It then tried creating the file in case cURL could/would not do it, and I set the file has permissions 666 so that it can be read and written to. It is under the home directory so it cannot be browsed to. Did I not specify the path correctly? I tried moving it (temporarily) to a public area, but there was no difference.

Code: Select all

 
function Redirect($url, $postinfo) 
{ 
    $curlh = curl_init(); 
    curl_setopt($curlh, CURLOPT_URL, $url); 
 
    if(isset($postinfo)) 
    { 
        curl_setopt($curlh, CURLOPT_POST, 1); 
        curl_setopt($curlh, CURLOPT_POSTFIELDS, $postinfo); 
    }        
 
    curl_setopt($curlh, CURLOPT_COOKIEJAR, "/curl_cookies/curl_cookies.txt"); 
 
     curl_setopt($curlh, CURLOPT_COOKIEFILE, "/curl_cookies/curl_cookies.txt"); 
        
    curl_exec($curlh); 
    curl_close($curlh); 
  
    return 1; 
} 
 
This is how it is being used:

The flow follows the "Dispatch" method suggested in this article http://shiflett.org/articles/secure-design.

All dynamic pages (excluding Gallery) are entered through http://www.hrsms.org/run.php with an option set as a GET parameter, ex. http://www.hrsms.org/run.php?script=resources

If a vistor requests a private page ex. http://www.hrsms.org/run.php?script=members, they are redirected to the login page, if not already logged in. When the form is submitted, and the user validated, the form posts back to the originally requested page, the script sees the user is logged in, and the content is displayed. Again, in a little more detail:

In the validation step the login form tries to match a token (hidden field of form) to the current session token. The problem appears to be that the session cookie is not available after redirecting using cURL, so the form creates a new token, which will not match the current session token. The current session is available when keying in a new web address, clicking a link <a href="...> or posting the form. It is the cURL redirect that is not passing along the cookie (or whatever the correct term may be).

It's the first time I've attempted to use cURL.
Can anyone spot my error above?

Thanks!!