cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: curling password protected website with hidden dynamic variable on the login page

From: Ralph Mitchell <ralphmitchell_at_gmail.com>
Date: Thu, 4 Feb 2010 00:32:58 -0500

On Thu, Feb 4, 2010 at 12:03 AM, Maximilian Rausch <maxrausch_at_gmail.com>wrote:

> From: William Betts <william.betts_at_gmail.com>
> Date: Wed, 3 Feb 2010 19:14:44 -0800
>
> On Wed, Feb 3, 2010 at 11:10 AM, Maximilian Rausch
> <maxrausch_at_gmail.com>wrote:
>
> > I need to curl data that is on a password protected site and I am
> > first trying to get by the login page so that I can store the cookies
> > which will allow me to get to the password protected data with a
> > second call to curl. The login webpage is
> >
> > https://secure.ngx.com/sso/login
> >
> > However when the submit button is clicked on the login page it posts a
> > hidden variable "lt" which changes every time the page reloads (so you
> > can't curl the login page once and parse it to find the value and then
> > post it the next time). You can see this by taking a look at the
> > source code of the page. I have tried a live HTTP replay ( a function
> > of the live http headers plugin for firefox) but the replay does not
> > successfully login because I think that the the new page has a
> > different value for "lt" while the replay is posting the old value.
> >
> > I can not figure out how to get the value of 'lt' the first time I
> > curl the page so that I can post it along with the username, password,
> > and other necessary variables.
> >
> > Max
>
> >
> >Hello,
> >
> >After looking at the login page I assume you're talking about "<input
> >type="hidden" name="lt"
>
> >value="_cDA353F3E-64C2-4DF8-A7C6-6478B2BAC095_k3808E2D5-62BA-0552-1E53-C2AC9C4E71AE"/>".
> >
> >First you'll want to fetch the login page and store it in some variable.
> >Then run the regex below on it. The example is in PHP, but the regex
> should
> >work for other languages as well. The regular expression works, but could
> >probably be made better.
> >
> >preg_match_all('<input\s*type="hidden"\s*name="lt"\s*value="(.*?)"\s*\/>',
> >$html, $matches);
> >
> >Best of Luck,
> >William
>
> That is correct I am looking for that value and this idea is what I
> had originally thought of as a solution but there is a problem with
> it.
>
> I curl the page and use a regex to find the value of 'it', but then
> how do I submit the form with this value in the same call to curl?
>
> If you reload the page (or call curl again with the value of 'lt' from
> which I found previously) then the login will not work. This is
> because when you reload the page the value of 'lt' changes every time.
>
> I tried saving the session ID cookie but the value of 'lt' still
> changes every time the page is reloaded.
>
> Does anyone know of another way to accomplish a login to this website
> using curl?
>

It's a form, so you need to do a POST to submit the form, not a GET, which
just gets you a fresh copy of the original page. If you're doing this in C,
it's something like this, with appropriate replacements for XXXX, YYYY &
ZZZZ:

       curl_easy_setopt(hnd, CURLOPT_URL, "
https://secure.ngx.com/sso/login;jsessionid=02C40047EDC6229287C1264D2EE9808A
");

     curl_easy_setopt(handle, CURLOPT_POSTFIELDS,
"username=XXXX&password=YYYY&lt=ZZZZ&_eventId=submit&submit=Login");

     curl_easy_setopt(handle, CURLOPT_POST, 1);

though I haven't done a lot with libcurl, so I've probably left out some
stuff.

Ralph Mitchell

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-02-04