How to login to girisv3.itu.edu.tr with php/curl?

Question

I am trying to login this website över mu website (i.e localhost) https://girisv3.itu.edu.tr/Login.aspx

According to example code shared at here for facebook login on other website (localhost) PHP cURL to login to facebook

I am trying to apply this Facebook login for itu.edu.tr login. But it didnt work. I am also newbie to curl and php. How can I do that for this website (itu.edu.tr)?

<?php
    $username = 'username@itu.edu.tr';
    $password = 'password';
    $loginUrl = 'https://girisv3.itu.edu.tr/Login.aspx';

    $ch = curl_init();


    curl_setopt($ch, CURLOPT_URL, $loginUrl);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, 'ContentPlaceHolder1_tbUserName='.$username.'&ContentPlaceHolder1_tbPassword='.$password.'&ContentPlaceHolder1_btnLogin=Login');
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_COOKIEJAR, "cookies.txt");
    curl_setopt($ch, CURLOPT_COOKIEFILE, "cookies.txt");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_REFERER, "http://www.itu.edu.tr");
    //execute the request
    $content = curl_exec($ch);

    echo $content;
?>

Answer 1

the login system at girisv3.itu.edu.tr has little in common with the facebook login system (i can say that with confidence because i've studied facebook's login system and written code that logs into facebook )

to login here, first hit https://girisv3.itu.edu.tr/Login.aspx with a simple HTTP GET request, here you'll be redirected 5 times (why? no friggin idea, albeit at least 2 of them are to test that you have cookies enabled) with HTTP Location-redirects , on the first redirect you will get a cookie looking like Set-Cookie: ASP.NET_SessionId=fzwd05uqv2ogyvj2p4ip2x3u; path=/; HttpOnly, save that and re-use it on all following redirects (if you do not, you will get an error like The ITU Introduction application uses cookies. Your browser has been found to block cookies. Please allow cookies from the browser settings and try again later.), and on the last request you will get a cookie looking like Cookie: ASP.NET_SessionId=nmhigw3julmzbedva0zwklj2; cookieCheck=true, this is the cookie you need to actually log in. (cookieCheck=true probably means that you passed the cookie test), once you're finished with the redirects, the HTML contains a lot of data that you need to parse out to log in, a <form element contains a unique url specific to your cookie where you need to send the POST request to log in, it looks like

<form method="post" action="./Login.aspx?subSessionId=543cf6e7-d262-46f3-8207-740d92298bd3&amp;currentURL=https%3a%2f%2fportal.itu.edu.tr%2flogin.aspx%3fReturnUrl%3d%252fapps%252fdefault%252f&amp;cookieAdded=true" id="form1">

and there are a bunch of <input> elements containing data that you also need to parse out and add to the actual login request, specifically

__VIEWSTATE and __VIEWSTATEGENERATOR and __EVENTVALIDATION and ctl00$ContentPlaceHolder1$hfAppName and ctl00$ContentPlaceHolder1$hfToken and ctl00$ContentPlaceHolder1$hfVerifier and ctl00$ContentPlaceHolder1$hfCode and ctl00$ContentPlaceHolder1$hfState and (this 1 is the login username by the way) ctl00$ContentPlaceHolder1$tbUserName and (this 1 is the login password) ctl00$ContentPlaceHolder1$tbPassword and ctl00$ContentPlaceHolder1$btnLogin

once you have the login POST data parsed out from the html, add the login username to ctl00$ContentPlaceHolder1$tbUserName and add the login password to ctl00$ContentPlaceHolder1$tbPassword, and send the actual login request to the url obtained from the <form element together with the cookie received in the last http-redirect, the data must be encoded in the application/x-www-form-urlencoded-format (and PHP has a native function for encoding php arrays in application/x-www-form-urlencoded-format called http_build_query)

here is an example with hhb_curl (a php curl_ api wrapper which takes care of error detection (turning silent curl errors into RuntimeExceptions), cookies, following Location redirects, freeing curl resources, and then some)

<?php
declare (strict_types = 1);
const USERNAME = "TheUsername";
const PASSWORD = "ThePassword";
require_once('hhb_.inc.php');
$hc = new hhb_curl('', true);
$html = $hc->exec('https://girisv3.itu.edu.tr/Login.aspx')->getStdOut();
$domd = @DOMDocument::loadHTML($html);
$xp = new DOMXPath($domd);
$loginForm = $domd->getElementById("form1");
$login_url = 'https://girisv3.itu.edu.tr/' . $loginForm->getAttribute("action");
$postDataInputNames = array(
    '__VIEWSTATE',
    '__VIEWSTATEGENERATOR',
    '__EVENTVALIDATION',
    'ctl00$ContentPlaceHolder1$hfAppName',
    'ctl00$ContentPlaceHolder1$hfToken',
    'ctl00$ContentPlaceHolder1$hfVerifier',
    'ctl00$ContentPlaceHolder1$hfCode',
    'ctl00$ContentPlaceHolder1$hfState',
    'ctl00$ContentPlaceHolder1$tbUserName',
    'ctl00$ContentPlaceHolder1$tbPassword',
    'ctl00$ContentPlaceHolder1$btnLogin',
);
$postData = [];
foreach ($postDataInputNames as $name) {
    $ele = $xp->query('.//input[@name=' . xpath_quote($name) . ']', $loginForm);
    if (!$ele->length) {
        var_dump($html);
        throw new \LogicException("failed to find input form {$name}!");
    }
    $ele = $ele->item(0);
    $postData[$name] = $ele->getAttribute("value");
}
$postData['ctl00$ContentPlaceHolder1$tbUserName'] = USERNAME;
$postData['ctl00$ContentPlaceHolder1$tbPassword'] = PASSWORD;
var_dump('login post data: ', $postData);
$html = $hc->setopt_array(array(
    CURLOPT_POST => 1,
    CURLOPT_POSTFIELDS => http_build_query($postData),
    CURLOPT_URL => $login_url,
))->exec()->getStdOut();
$domd = @DOMDocument::loadHTML('<?xml encoding="UTF-8">' . $html);
$xp = new DOMXPath($domd);
$loginError = $domd->getElementById("ContentPlaceHolder1_lbHata");
if ($loginError && !empty(trim($loginError->textContent))) {
    echo "LOGIN ERROR: " . trim($loginError->textContent) . "\n";
} else {
    echo "Login success! ";
    var_dump($html);
}


//based on https://stackoverflow.com/a/1352556/1067003
function xpath_quote(string $value) : string
{
    if (false === strpos($value, '"')) {
        return '"' . $value . '"';
    }
    if (false === strpos($value, '\'')) {
        return '\'' . $value . '\'';
    }
    // if the value contains both single and double quotes, construct an
    // expression that concatenates all non-double-quote substrings with
    // the quotes, e.g.:
    //
    //    concat("'foo'", '"', "bar")
    $sb = 'concat(';
    $substrings = explode('"', $value);
    for ($i = 0; $i < count($substrings); ++$i) {
        $needComma = ($i > 0);
        if ($substrings[$i] !== '') {
            if ($i > 0) {
                $sb .= ', ';
            }
            $sb .= '"' . $substrings[$i] . '"';
            $needComma = true;
        }
        if ($i < (count($substrings) - 1)) {
            if ($needComma) {
                $sb .= ', ';
            }
            $sb .= "'\"'";
        }
    }
    $sb .= ')';
    return $sb;
}

which yields:

LOGIN ERROR: Kullanıcı adı veya şifre hatalı.

which means the username/password is invalid, because apparently TheUsername and ThePassword is not valid login credentials.

all the information required to login can be obtained by installing Fiddler Proxy, and record logging in with a browser (like FireFox), and then replicate the browser login procedure with php/curl, which is basically what i did here.