cURL / Mailing Lists / curl-and-php / Single Mail

curl-and-php

HTTPS Redirect does not pass along new cookies

From: Pieter de Zwart <pdezwart_at_snocap.com>
Date: Mon, 11 Feb 2008 14:07:02 -0800

Hi Everyone,

I looked around the archives, and though I found a couple references to this problem, I couldn't find a solution, so any help is much appreciated. I am trying to log in automagically to Bank of America using curl 7.16.* on fedora core 5 with php 5.2.4. For reference, there are two steps prior to the one listed below where I submit username and password. After each step, I extract the temporary cookies and manually insert them into the next request using CURLOPT_COOKIE. For all these requests, I am also setting CURLOPT_COOKIEFILE and CURLOPT_COOKIEJAR to the same location, which is accessible by apache. I also have CURLOPT_AUTOREFER and CURLOPT_FOLLOWLOCATION turned on to follow redirects.

The problem seems to occur during the redirection. If you look below, it looks like the cookies returned in the first and second 302 are not getting passed to the following GET, which is why I am getting logged out. The simple solution of course is to turn off FOLLOWLOCATION and parse out the cookies from the headers and perform my own 302, but I was hoping curl would be able to do it for me =)

Again, I am a newb, so if I have missed something obvious, in which case I apologize. Any help on this would be much appreciated.

Thanks,
Pieter

* About to connect() to sitekey.bankofamerica.com port 443 (#0)
* Trying 171.161.162.233... * connected
* Connected to sitekey.bankofamerica.com (171.161.162.233) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using RC4-MD5
* Server certificate:
* subject: /C=US/ST=North Carolina/L=Charlotte/O=Bank of America Corporation/OU=DMZUNIXAPPS 1/CN=sitekey.bankofamerica.com
* start date: 2007-08-09 00:00:00 GMT
* expire date: 2008-08-31 23:59:59 GMT
* common name: sitekey.bankofamerica.com (matched)
* issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
* SSL certificate verify ok.
> POST /sas/verifyImage.do HTTP/1.1
Host: sitekey.bankofamerica.com
Cookie: GSLSESSIONID=0000LozLF3rcv4hgXuQfrPIXBhW:12hs4hqkk; Path=/; state=CA; Expires=Thu, 01-Jan-1970 00:00:10 GMT; pm_command=; Domain=.bankofamerica.com; SMSESSION=deleted
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12
Content-Length: 98
Content-Type: application/x-www-form-urlencoded

< HTTP/1.1 302 Found
< Server: Sun-ONE-Web-Server/6.1
< Date: Mon, 11 Feb 2008 21:15:32 GMT
< Content-length: 0
< Content-type: text/html
< Set-cookie: state=CA;Expires=Tue, 10-Feb-2009 21:15:32 GMT;Path=/
< Pragma: No-cache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< P3p: CP="CAO IND PHY ONL UNI FIN COM NAV INT DEM CNT STA POL HEA PRE GOV CUR ADM DEV TAI PSA PSD IVAi IVDi CONo TELo OUR SAMi OTRi"
< Set-cookie: state=CA;Expires=Tue, 10-Feb-2009 21:15:32 GMT;Path=/
< Set-cookie: queue_indicator=GAIMW;Domain=.bankofamerica.com;Path=/
< Set-cookie: pm_2x=pm_token=83BD242A16B583530611C5904C38319C97EFECA&pm_iv=F6AE926BF9F;Domain=.bankofamerica.com;Path=/; Secure
< Cache-control: no-cache="set-cookie,set-cookie2"
< Location: https://onlineeast1.bankofamerica.com/cgi-bin/ias/0/E/LoginEntryPoint?CIPHER_TEXT_IN_HEX=
< Content-language: en
<
* Connection #0 to host sitekey.bankofamerica.com left intact
* Issue another request to this URL: 'https://onlineeast1.bankofamerica.com/cgi-bin/ias/0/E/LoginEntryPoint?CIPHER_TEXT_IN_HEX='
* Disables POST, goes with GET
* About to connect() to onlineeast1.bankofamerica.com port 443 (#1)
* Trying 171.159.194.159... * connected
* Connected to onlineeast1.bankofamerica.com (171.159.194.159) port 443 (#1)
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using RC4-MD5
* Server certificate:
* subject: /C=US/ST=North Carolina/L=Charlotte/O=Bank of America Corporation/OU=ETIS WASE Ecomm/OU=Terms of use at www.verisign.com/rpa (c)00/CN=onlineeast1.bankofamerica.com
* start date: 2007-04-25 00:00:00 GMT
* expire date: 2008-04-24 23:59:59 GMT
* common name: onlineeast1.bankofamerica.com (matched)
* issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
* SSL certificate verify ok.
> GET /cgi-bin/ias/0/E/LoginEntryPoint?CIPHER_TEXT_IN_HEX= HTTP/1.1
Host: onlineeast1.bankofamerica.com
Referer: https://sitekey.bankofamerica.com/sas/verifyImage.do
Cookie: GSLSESSIONID=0000LozLF3rcv4hgXuQfrPIXBhW:12hs4hqkk; Path=/; state=CA; Expires=Thu, 01-Jan-1970 00:00:10 GMT; pm_command=; Domain=.bankofamerica.com; SMSESSION=deleted
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12

< HTTP/1.1 302 Found
< Server: Sun-ONE-Web-Server/6.1
< Date: Mon, 11 Feb 2008 21:15:33 GMT
< Content-length: 0
< Content-type: text/html
< Set-cookie: JSESSIONID=0000R9IEdxYwcASGl6CW4KsI:12hs8hqkk;Path=/
< Set-cookie: SessionID=R9IE4YwcASGl6CW4KsI;Path=/cgi-bin/ias
< Set-cookie: SessionID=R9i7dxYwcASGl6CW4KsI
< Set-cookie: SERVERID=120233005_26048_25;Domain=.bankofamerica.com;Path=/
< Pragma: No-cache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-cookie: trans_url=null;Domain=.fiabusinesscard.com;Path=/; Secure
< Set-cookie: LANG_COOKIE=en_US;Domain=.bankofamerica.com;Path=/; Secure
< Set-cookie: BA_0021=OLB;Domain=.bankofamerica.com;Expires=Thu, 08-Feb-2018 21:15:33 GMT;Path=/
< Set-cookie: BOA_0020=20080211:0:O:v65_VkQhwOnkJDZRIGv4pqk7BrtnLoPhW8o;Domain=.bankofamerica.com;Expires=Sun, 01-Mar-2076 00:29:40 GMT;Path=/
< Set-cookie: BOA_WMEL=M;Domain=.bankofamerica.com;Expires=Thu, 08-Feb-2018 21:15:33 GMT;Path=/
< Set-cookie: BOA_INSES=sessioncheck%3D1202764533440_%26returnurl%3Dhttps%3A%2F%2Fonlineeast1.bankofamerica.com%2Fcgi-bin%2Fias%2FA%2F1%2FWatermarkReturnEntryPoint;Domain=.bankofamerica.com;Path=/
< Set-cookie: SMSESSION=deleted;Domain=.bankofamerica.com;Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/
< Cache-control: no-cache="set-cookie,set-cookie2"
< Location: https://onlineeast1.bankofamerica.com/cgi-bin/ias/qrIv65_VkQhwOnkJDZRIGv4pqk/1/bofa/ibd/IAS/presentation/GotoWelcome
< Content-language: en-US
<
* Connection #1 to host onlineeast1.bankofamerica.com left intact
* Issue another request to this URL: 'https://onlineeast1.bankofamerica.com/cgi-bin/ias/qrIv65_VkQhwOnkJDZRIGv4pqk/1/bofa/ibd/IAS/presentation/GotoWelcome'
* Re-using existing connection! (#1) with host onlineeast1.bankofamerica.com
* Connected to onlineeast1.bankofamerica.com (171.159.194.159) port 443 (#1)
> GET /cgi-bin/ias/qrIv65_VkQhwOnkJDZRIGv4pqk7BrtnLoPhW8og2179297/1/bofa/ibd/IAS/presentation/GotoWelcome HTTP/1.1
Host: onlineeast1.bankofamerica.com
Referer: https://onlineeast1.bankofamerica.com/cgi-bin/ias/0/E/LoginEntryPoint?CIPHER_TEXT_IN_HEX=
Cookie: GSLSESSIONID=0000LozLF3rcv4hgXuQfrPIXBhW:12hs4hqkk; Path=/; state=CA; Expires=Thu, 01-Jan-1970 00:00:10 GMT; pm_command=; Domain=.bankofamerica.com; SMSESSION=deleted
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12

< HTTP/1.1 302 Found
< Server: Sun-ONE-Web-Server/6.1
< Date: Mon, 11 Feb 2008 21:15:33 GMT
< Content-length: 0
< Content-type: text/html
< Set-cookie: JSESSIONID=0000BatG3g260qFyivgJfi-ZjRf:12hs8hqkk;Path=/
< Set-cookie: SessionID=BatG3g260qFyivgJfi-ZjRf;Path=/cgi-bin/ias
< Set-cookie: SessionID=BatG3g260qFyivgJfi-ZjRf
< Set-cookie: SERVERID=1203794533626_26012_25;Domain=.bankofamerica.com;Path=/
< Pragma: No-cache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Set-cookie: SMSESSION=;Domain=.bankofamerica.com;Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/
< Set-cookie: SMSESSION=;Domain=.bankofamerica.com;Expires=Thu, 01-Jan-1970 00:00:10 GMT;Path=/
< Cache-control: no-cache="set-cookie,set-cookie2"
< Location: https://www.bankofamerica.com/Control.do?page_msg=timeout&body=signoff
< Content-language: en-US
<
* Connection #1 to host onlineeast1.bankofamerica.com left intact
* Issue another request to this URL: 'https://www.bankofamerica.com/Control.do?page_msg=timeout&body=signoff'
* About to connect() to www.bankofamerica.com port 443 (#2)
* Trying 171.161.161.173... * connected
* Connected to www.bankofamerica.com (171.161.161.173) port 443 (#2)
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using RC4-MD5
* Server certificate:
* subject: /C=US/ST=North Carolina/L=Charlotte/O=Bank of America Corporation/OU=DMZUNIXAPPS/CN=www.bankofamerica.com
* start date: 2007-11-19 00:00:00 GMT
* expire date: 2009-01-17 23:59:59 GMT
* common name: www.bankofamerica.com (matched)
* issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
* SSL certificate verify ok.
> GET /Control.do?page_msg=timeout&body=signoff HTTP/1.1
Host: www.bankofamerica.com
Referer: https://onlineeast1.bankofamerica.com/cgi-bin/ias/qrIv65_VkQhwOnkJDZRIGv4pqk/1/bofa/ibd/IAS/presentation/GotoWelcome
Cookie: GSLSESSIONID=0000LozLF3rcv4hgXuQfrPIXBhW:12hs4hqkk; Path=/; state=CA; Expires=Thu, 01-Jan-1970 00:00:10 GMT; pm_command=; Domain=.bankofamerica.com; SMSESSION=deleted
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12

< HTTP/1.1 200 OK
< Server: Sun-ONE-Web-Server/6.1
< Date: Mon, 11 Feb 2008 21:15:33 GMT
< Content-type: text/html;charset=ISO-8859-1
< Content-language: en-US
< Set-cookie: JSESSIONID=0000j98JqhfR34i7WKHDps4XSjq:12rfuebu8; Path=/
< Set-cookie: INTL_LANG=en_US
< Set-cookie: BOA_0020=20081212:0:E:FE86B344-1288-01f4-00000000BA1D; Expires=Sun, 01 Mar 2076 00:29:40 GMT; Domain=.bankofamerica.com
< Expires: Thu, 01 Dec 1994 16:00:00 GMT
< Cache-control: no-cache="set-cookie, set-cookie2"
< Transfer-encoding: chunked
<
* Connection #2 to host www.bankofamerica.com left intact

This e-mail and any attachments are for the authorized use by the intended recipient only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachments and all copies and inform the sender. Thank you.

_______________________________________________
http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-and-php
Received on 2008-02-11