Unable to log in to website using PHP cURL, invision forums produce unhelpful error after trying to do so

I am trying to log in to an invision forum with cURL and am encountering a problem with little feedback information.

My first step is to visit the site, and grab the csrfKey for use in logging in, relevant code below:

function get_web_page( $url, $newConn = false )
    {
        $user_agent='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36';

        $cookie_file_path = $this->getCookieJarPath();
        $cookie_file_path = realpath($cookie_file_path);

        $options = array(

            CURLOPT_CUSTOMREQUEST  =>"GET",        //set request type post or get
            CURLOPT_POST           =>false,        //set to GET
            CURLOPT_USERAGENT      => $user_agent, //set user agent
            CURLOPT_COOKIEFILE     =>$cookie_file_path, //set cookie file
            CURLOPT_COOKIEJAR      =>$cookie_file_path, //set cookie jar
            CURLOPT_RETURNTRANSFER => true,     // return web page
            CURLOPT_HEADER         => false,    // don't return headers
            CURLOPT_FOLLOWLOCATION => true,     // follow redirects
            CURLOPT_ENCODING       => "",       // handle all encodings
            CURLOPT_AUTOREFERER    => true,     // set referer on redirect
            CURLOPT_CONNECTTIMEOUT => 120,      // timeout on connect
            CURLOPT_TIMEOUT        => 120,      // timeout on response
            CURLOPT_MAXREDIRS      => 10,       // stop after 10 redirects
            CURLOPT_COOKIESESSION  => true,     // Unsure if needed
        );

        if($newConn){
            $options[CURLOPT_FRESH_CONNECT] = true;
        }

        $ch      = curl_init( $url );
        curl_setopt_array( $ch, $options );
        $content = curl_exec( $ch );
        $err     = curl_errno( $ch );
        $errmsg  = curl_error( $ch );
        $header  = curl_getinfo( $ch );
        curl_close( $ch );

        $header['errno']   = $err;
        $header['errmsg']  = $errmsg;
        $header['content'] = $content;
        return $header;
    }

I wrote the webpage gathered in step 1 to a file, and checked it to verify the csrfKey was being gathered correctly. Second step is to use the csrfKey to fill in the required fields and attempt to log in:

$postArray = array(
            'auth' => 'my@gmail.com',
            'password' => 'mypassword',
            'remember_me' => '1',
            'csrfKey' => $csrfValue,
            '_processLogin' => 'usernamepassword',  // This is the submit button
        );

        if (!!$refValue) {
            $postArray['ref'] = $refValue;
        }

        try{
            $ch = curl_init();
            $cookie_file_path = $this->getCookieJarPath();
            $cookie_file_path = realpath($cookie_file_path);

            curl_setopt($ch, CURLOPT_COOKIESESSION, true);
            curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
            curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
            curl_setopt($ch, CURLOPT_HEADER, 1);
            curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36");
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
            curl_setopt($ch, CURLOPT_REFERER, 'https://forum.website.com/login/');

            curl_setopt($ch, CURLOPT_URL, 'https://forum.website.com/login/');
            curl_setopt($ch, CURLOPT_POST, true);

            $postargs = http_build_query($postArray);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $postargs);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

            // Check if initialization had gone wrong*
            if ($ch === false) {
                throw new Exception('failed to initialize');
            }

            $content = curl_exec($ch);

            // Check the return value of curl_exec(), too
            if ($content === false) {
                throw new Exception(curl_error($ch), curl_errno($ch));
            }

            $last_url = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);
            
            // Close curl handle
            curl_close($ch);

        }catch(Exception $e){
            trigger_error(sprintf(
                'Curl failed with error #%d: %s',
                $e->getCode(), $e->getMessage()),
                E_USER_ERROR);
            return false;
        }

After that I check $content and find that I have failed to log in. The webpage has a title of “Sorry, you do not have permission for that!” along with the message "Sorry, there is a problem

Something went wrong. Please try again.
Error code: 2S119/1"

Searching that error code returns a number of varied speculated causes, including the csrfKey being wrong, as well as a number of other issues that don’t seem terribly relevant.

I really have no idea where to go from here, I’ve been plugging in new options for the curl connection for days and hoping for the best with no luck. The cookie jar is being used and looks like this:

# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

#HttpOnly_.website.com	TRUE	/	TRUE	0	ips4_guestTime	1591998327
#HttpOnly_.website.com	TRUE	/	TRUE	0	ips4_IPSSessionFront	eu1vctj7cpn6kmava6ulgr2r2s

Can anyone give me some direction or see where I am going wrong here? Thanks.

I would guess the site owner does not want you to do what you are doing.

1 Like

Sounds to me like the forum code is doing exactly what most forums are coded to do - prevent bot access.

This was the winning combo:

$ch = curl_init ('https://forum.website.com/login/');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16');
curl_setopt($ch, CURLOPT_POST, true);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS, $postArray);