cURL and cookies

vincekaribusana · October 2, 2018, 4:17pm

Hi,

I’m building a login system in php where I need to use credentials from another website, I’m using an API to login to another server and I’m doing it using cURL. The server where the login credentials are stored does create a cookie with a unique tolken after the user has logged in correctly and this cookie is important to view other webpages and interrogate this pages using other APIs.
This is what I’ve done so far and it seems to work fine, in the login controller php file I’ve got this code

        $km_username = filter_var($_POST['userName'], FILTER_SANITIZE_STRING);
        $km_user_password = $_POST['userPassword'];

        $cookieFile = "cookies.txt";
        if(!file_exists($cookieFile)) {
            $fh = fopen($cookieFile, "w");
            fwrite($fh, "");
            fclose($fh);
        }

        $url = 'https://www.apiwebsite.com/api/login.jsp?';

        $fields = array(
            'userid' => $km_username,
            'password' => $km_user_password
        );

        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($fields));
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
        curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieFile); // Cookie aware
        curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieFile); // Cookie aware
        $content = curl_exec($ch);
        curl_close($ch);

In the page where I want to interrogate the server to get other datas I’ve got

        $dates = array(
            'd_inizio' => '01/01/2017',
            'd_fine' => '31/12/2017'
        );

        $url = "https://www.apiwebsite.com/api/ricevute.jsp?";
        $cookie = "../../km-controllers/cookies.txt";
 
        $ch = curl_init ($url);
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($dates));
        curl_setopt ($ch, CURLOPT_COOKIEFILE, $cookie); 
        curl_setopt ($ch, CURLOPT_RETURNTRANSFER, true);
        $output = curl_exec ($ch);

So basically after user has logged into the website cURL saves a cookie txt file into my server and this allows me to use that file any other time i want to make another call using for example a different api

Now the question is: what happen if I’ve got more than one user logging into the system? Do I need to create x number of cookies according on how many users log into the system? Would it not be simpler to save the cookie into the user’s browser?

many thanks

chorn · October 3, 2018, 7:36am

if you want to prevent users hijacking each others session on the remote server, or your users need concurrent different credentials on the remote - then yes, you need to store the cookie for each user separate. I would just use a database for this. Storing the cookie in the browser of the user requires a cookie - so you would store a cookie in the cookie. At least when not creating more files, but you need a file descriptor, you have to put the remote cookie back into a file, just lookup php create file in memory.

vincekaribusana · October 4, 2018, 7:41am

Hi, many thanks for your answer. I’ve managed to create a new cookie file and save it in a session, this is the code that I’ve built. The only problem I’ve got is now with validate the form

$km_username = filter_var($_POST['userName'], FILTER_SANITIZE_STRING);
$km_user_password = $_POST['userPassword'];


// Validate form fields if they are empty
if(empty($km_username) && empty($km_user_password)) {

        // Error message if email and password fields are empty
        $_SESSION['km_error_message'] = 'Insert username and password!';
        header('Location: '.KM_BASE_URL.'/login.php');
        exit();

}else if(empty($km_username)) {

        // Error message if username field is empty
        $_SESSION['km_error_message'] = 'Insert username!';
        header('Location: '.KM_BASE_URL.'/login.php');
        exit();

}else if(empty($km_user_password)) {

        // Error message if password field is empty
        $_SESSION['km_error_message'] = 'Insert password!';
        header('Location: '.KM_BASE_URL.'/login.php');
        exit();
 
}

// Store form fields into an array
$fields = array(
    'userid' => $km_username,
    'password' => $km_user_password
);

// cURL request to Condomatica API
$cURL = curl_init();
curl_setopt($cURL, CURLOPT_URL, URL_LOGIN_API);
curl_setopt($cURL, CURLOPT_POST, 1);
curl_setopt($cURL, CURLOPT_POSTFIELDS, http_build_query($fields));
curl_setopt($cURL, CURLOPT_HEADER, 0);
curl_setopt($cURL, CURLOPT_RETURNTRANSFER, TRUE);

$cURL_response = curl_exec($cURL); // execute the curl command

    if (curl_error($cURL)) {
        echo curl_error($cURL);
    }

curl_close ($cURL);

$json_response = json_decode($cURL_response, true);


// Form validation after cURL request

if(isset($json_response['errorDetailCode'])){

    // Error message if cURL request error
    $_SESSION['km_error_message'] = $json_response['errorDetailMessage'];
    header('Location: '.KM_BASE_URL.'/login.php');
    exit();

}else{

    // Store the cookie file name into the session
    if (!isset($_SESSION['cookiefile'])) {
        $cookiefile = tempnam(".", "cookie");
        $_SESSION['cookiefile'] = basename($cookiefile);
        file_put_contents($cookiefile, "");
    }

    // cURL request to Condomatica API
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, URL_LOGIN_API);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($fields));
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
    curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiefile); // Cookie aware
    curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiefile); // Cookie aware
    $content = curl_exec($ch);
    curl_close($ch);

    // Redirerct user to dashboard
    header('Location: '.KM_BASE_URL.'/client-dashboard.php');
    exit();

}

I’ve got three error codes returned from a json object if the username and password sent by curl are not correct, these are the errors

// array(2) { ["errorDetailCode"]=> int(-44) ["errorDetailMessage"]=> string(37) "username or password not found" } 
// array(2) { ["errorDetailCode"]=> int(-2) ["errorDetailMessage"]=> string(23) "username not found" }
// array(2) { ["errorDetailCode"]=> int(-1) ["errorDetailMessage"]=> string(19) "password not found" }

If i get the error username or password not found at first attempt then i keep getting the same error even if the username is correct and password is wrong and viceversa. I know it is better to show a generic message such as username or password wrong, but this is just for testing purpose and learning. Do you know why?

system · January 3, 2019, 2:41pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.