session cookies and cURL
Posted: Tue Aug 05, 2008 5:33 pm
I have a function "Redirect", as shown below (comments and error-checking removed for brevity):
From what I could glean off the web, I thought that setting the CURLOPT_COOKIEJAR and CURLOPT_COOKIEFILE options as I have done would make the current session cookie available in the target page. But it is not, and nothing appears to be written to curl_cookies.txt. It then tried creating the file in case cURL could/would not do it, and I set the file has permissions 666 so that it can be read and written to. It is under the home directory so it cannot be browsed to. Did I not specify the path correctly? I tried moving it (temporarily) to a public area, but there was no difference.
This is how it is being used:
The flow follows the "Dispatch" method suggested in this article http://shiflett.org/articles/secure-design.
All dynamic pages (excluding Gallery) are entered through http://www.hrsms.org/run.php with an option set as a GET parameter, ex. http://www.hrsms.org/run.php?script=resources
If a vistor requests a private page ex. http://www.hrsms.org/run.php?script=members, they are redirected to the login page, if not already logged in. When the form is submitted, and the user validated, the form posts back to the originally requested page, the script sees the user is logged in, and the content is displayed. Again, in a little more detail:
It's the first time I've attempted to use cURL.
Can anyone spot my error above?
Thanks!!
From what I could glean off the web, I thought that setting the CURLOPT_COOKIEJAR and CURLOPT_COOKIEFILE options as I have done would make the current session cookie available in the target page. But it is not, and nothing appears to be written to curl_cookies.txt. It then tried creating the file in case cURL could/would not do it, and I set the file has permissions 666 so that it can be read and written to. It is under the home directory so it cannot be browsed to. Did I not specify the path correctly? I tried moving it (temporarily) to a public area, but there was no difference.
Code: Select all
function Redirect($url, $postinfo)
{
$curlh = curl_init();
curl_setopt($curlh, CURLOPT_URL, $url);
if(isset($postinfo))
{
curl_setopt($curlh, CURLOPT_POST, 1);
curl_setopt($curlh, CURLOPT_POSTFIELDS, $postinfo);
}
curl_setopt($curlh, CURLOPT_COOKIEJAR, "/curl_cookies/curl_cookies.txt");
curl_setopt($curlh, CURLOPT_COOKIEFILE, "/curl_cookies/curl_cookies.txt");
curl_exec($curlh);
curl_close($curlh);
return 1;
}
The flow follows the "Dispatch" method suggested in this article http://shiflett.org/articles/secure-design.
All dynamic pages (excluding Gallery) are entered through http://www.hrsms.org/run.php with an option set as a GET parameter, ex. http://www.hrsms.org/run.php?script=resources
If a vistor requests a private page ex. http://www.hrsms.org/run.php?script=members, they are redirected to the login page, if not already logged in. When the form is submitted, and the user validated, the form posts back to the originally requested page, the script sees the user is logged in, and the content is displayed. Again, in a little more detail:
- User navigates to http://www.hrsms.org/run.php?script=members
Code detects user is not currently loggin in and redirects (cURL) to http://www.hrsms.org/run.php?script=login with POST 'requested_page'='members'. - The login script detects the form has not been submitted, and therefore displays a login form
On submit the form posts to http://www.hrsms.org/run.php?script=login with POST variables for username, password, and original requested page. - This time the login script detects that the form is submitted and validates the username and password. If correct, it redirects (cURL) to http://www.hrsms.org/run.php?script=members
- This time the members script sees that the user is logged in and displays the requested content.
It's the first time I've attempted to use cURL.
Can anyone spot my error above?
Thanks!!