By jwage on

Why would this not work?

<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,"http://localhost/drupal/?q=node&destination=node");
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, 'PHP script');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "name=jwage&pass=password&form_id=user_login_block");

$contents = curl_exec($ch);

curl_close($ch);

if (strpos($contents, 'My account') !== FALSE)
{
echo 'SUCCESS';
} else {
echo 'FAILED';
}

unlink('cookies.txt');

This is on a brand new install. I am just logging in to it via curl and testing for the My account link in the navigation on the left.

Categories: Drupal 5.x

Comments

nevets’s picture

nevets commented

Drupal's form API works to avoid non-legitmit posting and may be rejectiing the attempt. I would print the results returned and see what you are getting. Another approach would be it in two steps. First use curl to goto the login page and use the results to post a result.

jwage’s picture

jwage commented

The resulting html shows the login form again. And the login form doesn't have any kind of token in it. The only that is required are these params: name=jwage&pass=password&form_id=user_login_block

If i login and let it write the cookies.txt then request again with the cookies.txt present then it gives me the drupal page with the administrator menu and the link name I am testing for in the script above.

nevets’s picture

nevets commented

So what do you mean by it does not work?

jwage’s picture

jwage commented

The login action if successful should redirect to the My account page with a logged in state. With curl, it follows the redirect but the html returned by curl_exec() does not have the logged in menu in the html, it shows the login form.

chx’s picture

chx commented

This is a CSRF attack as far as Drupal is concerned. Get the token and post it back.
--
The news is Now Public | Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile. |

--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.

chx’s picture

chx commented

well the token is needed for non-anon forms, i think. but here, you might need the build id.
--
The news is Now Public | Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile. |

--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.

chx’s picture

chx commented

build id is necessary for multistep forms. But here, you need a GET request and get the COOKIE before you can post.
--
The news is Now Public | Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile. |

--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.

giorgio79’s picture

giorgio79 commented

Hi,

Would you have maybe some code examples?

ClipGlobe - World Travel

My Drupal sites: