I try to login with curl to a SSL secured website but somehow I don't get it right.
The first curl connection retrieves the login form. An SSL issue in the beginning is resolved now. The fields used for authentication and all hidden fields are identified and used for the following POST. The cookie file is defined and the jar to read from as well. The cookie file is accessible and gets updated with each login attempt. A session cookie is successfully set by curl. The HTTPHEADER is removed to stop the request from hitting the 100 Continue wall. Curl is configured to follow up and to send a referer. However, I still cannot find where the script gets stuck. Neither Curl nor PHP issue any error messages or warnings.
Here is the shortened script:
$ch = curl_init();
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION,1);
curl_setopt($ch, CURLOPT_AUTOREFERER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Expect:')); // remove Expect header to avoid 100 Continue situations
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla [abbreviated]');
curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__).'/cacert.pem');
curl_setopt($ch, CURLOPT_COOKIEFILE, dirname(__FILE__).'/cookie.hq.txt'); // write cookies
curl_setopt($ch, CURLOPT_COOKIEJAR, dirname(__FILE__).'/cookie.hq.txt'); // read cookies
curl_setopt($ch, CURLOPT_COOKIESESSION, 1);
curl_setopt($ch, CURLOPT_URL, 'https://the_url.jsp');
$data = curl_exec($ch);
$error= curl_error($ch);
if(!empty($error))
echo '<p>'.$error.'</p>';
else
echo '<p>ok</p>';
Now the script reads the form, fills in the credentials and POSTs it back using the same curl_init handle:
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $options);
$data = curl_exec($ch);
$error=curl_error($ch);
But all I get back is the same form again and the same session cookie or a new one depending on the CURLOPT_COOKIESESSION setting.
When I log in manually I notice that there are two more cookies set: LtpaToken and LtpaToken2 but I never see them appearing in the request headers printed by the script. Manually submitting the form works even without Javascript aktivated. So there cannot be some JS magic modifying the form data under the hood before submitting it. Obviously I am missing something here. Any ideas where I can look further?
Solved: Finally the issue was due to an encoding issue in the POST. Initially the POST data was created from an array with http_build_query(). Now the POST data is simply concatenated and both keys and values are urlencoded separately:
$options.=urlencode($fieldName).'='.urlencode($element->getAttribute('value'));