Saving Authenticated Session Through PHP Login

Question

This is in reference to this earlier StackOverflow question, login credentials, where Tom B. suggested using this format for logging in through HTTP/HTTPS: username:password@domain.com.

This approach leaves the username and password visible to anyone who inspects the page source.

Is there any way to perform the initial login through PHP (perhaps cURL), and then proceed with the HTML session? I tried the following, but for some reason, the session is not saved, causing the proceeding HTML to fail:

<?php
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, 'http://url.xxx');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_USERPWD, "user:password");
    curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
    $output = curl_exec($ch);
    curl_close($ch);
    include 'sessionPage.html';
?>

This format didn't work either:

curl_setopt($ch, CURLOPT_URL, 'http://user:password@url.xxx');

How could I perform a successful login through a PHP script and have the session carried forward to the proceeding HTML page? The resource is third-party, so I have no control over the session information.

Thank you.

if you want to use curl, you can use a [cookie file](http://curl.haxx.se/docs/http-cookies.html) to save the session_id. — DevDonkey, Aug 11 '15 at 09:03
I read about that, but I'm not sure how to implement it. Might you have some resource on that? TIA. — iSofia, Aug 11 '15 at 09:07
put you up an example of what I use from one of my test scripts. hope that helps — DevDonkey, Aug 11 '15 at 09:27

score 0 · Answer 1 · answered Aug 11 '15 at 09:24

you can use a cookie file to hold the session_id of a successful (manual) login. This way the curl script will appear to be the user that created the session id in the first place.

curl script

function get_data( $url ) {
  $cookie = 'cookie.txt';
  $ch = curl_init();
  $timeout = 5;
  curl_setopt( $ch, CURLOPT_URL, $url );
  curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );
  curl_setopt( $ch, CURLOPT_CONNECTTIMEOUT, $timeout );
  curl_setopt( $ch, CURLOPT_COOKIEJAR, $cookie );
  curl_setopt( $ch, CURLOPT_COOKIEFILE, $cookie );
  $data = curl_exec( $ch );
  curl_close( $ch );

  return $data;
}

cookie file (contains just this line)

www.awebsite.com    TRUE    /   FALSE   0   PHPSESSID   5rsiasdfasdfasdfasdf73dvi9r0

to get the session id, log in manually to the site in question, view the cookie with the browsers dev tools and copy the PHPSESSID. Obviously with this approach you are limited to having to get the session_id yourself first.

Sorry for the late reply. It seems that the server _(actually an IP camera)_ does not utilise cookies. How is this possible? If I open a tab on the browser to login, other tabs can access the camera without logging in again. And yet the browser's cookie cache is empty. And if I close the browser completely and restart, the server requests a login again? How is it keeping track without cookies? — iSofia, Aug 13 '15 at 16:33

score 0 · Answer 2 · answered Aug 11 '15 at 09:27

Only possible if php is running on the same machine. What you need to do basically, is to grab the cookie from the the response of cURL and using PHP write that cookie into the file system in the right place to emulate successful login. All this assuming cookies are being used for authentication. There are other forms of authentication as well: persistent forms, sessionid in url, by IP address etc...

Saving Authenticated Session Through PHP Login

2 Answers2