hotdog1983 Posted December 5, 2010 Share Posted December 5, 2010 Hi guys, what I'm struggling to do is 1) Users land on https://www.mysite.com/login.php 2) Users type their email and password 3) POST data submitted to http://www.3rdparty.com/login.php with cURL 4) Users redirected to http://www.3rdparty.com/index.php (logged in). I've been using this simple form to POST directly to the 3rd party site. <form name="loginform" method="post" target="_blank" action="http://www.3rdparty.com/login.php"> Email <input name="email" type="text"> Password<input name="password" type="password"> <input name="submit" type="submit" id="loginbutton" value="login"></form> This works great. But now I've installed a SSL on my site and I've just realised that using the form above, the data is still POSTed as a plain text because the 3rd party site is not https. So I want to submit the form to my login.php form and let this form take the users to the 3rd party site. So at least the user inputs to my site is encrypted. My new code looks like this. <form name="loginform" method="post" target="_blank" action="login.php"> Email <input name="email" type="text"> Password<input name="password" type="password"> <input name="submit" type="submit" id="loginbutton" value="login"></form> <?php if(isset($_POST['email'])) $email= $_POST['email']; if(isset($_POST['password'])) $password= $_POST['password']; if(isset($_POST['submit'])) $submit = $_POST['submit']; $Curl_Session = curl_init('http://www.3rdparty.com/login.php'); curl_setopt ($Curl_Session, CURLOPT_POST, 1); curl_setopt ($Curl_Session, CURLOPT_POSTFIELDS, "email=$email&password=$password&submit=$submit"); curl_setopt ($Curl_Session, CURLOPT_FOLLOWLOCATION, 1); $result = curl_exec ($Curl_Session); curl_exec ($Curl_Session); curl_close ($Curl_Session); print $result; ?> What this code is doing now is it's just rendering the www.3rdparty.com's login page (not logged in) on my site. When I type wrong values, it renders www.3rdparty.com's login page with an error message on it. So I think at least the values are being POSTed but it doesn't log me in. All of the cURL codes available out there seem to POST the data and fetch some results back not redirecting the users to another site. My ultimate goal is to POST the form and redirect the users to the 3rd party site's member area as well. I tried header("Location: http://www.3rdparty.com/index.php"); but it just takes user to that page without being logged in. Could anyone give me some hints? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted December 5, 2010 Share Posted December 5, 2010 you probably will not be able to accomplish this. here's why: when a browser (or your curl code) is logged in to 3rdparty.com, a cookie for the 3rdparty.com domain is set in the browser (or your code). you can't use your code to set the cookie for 3rdparty.com in the user's browser. therefore, the user's browser will not have the cookie and will not be considered logged in on 3rdparty.com. Quote Link to comment Share on other sites More sharing options...
hotdog1983 Posted December 5, 2010 Author Share Posted December 5, 2010 Thanks a lot for your reply. Now I understood why I couldn't be logged in while I can post the data. I found a thread of someone else who had the same issue at http://www.webhostingtalk.com/showthread.php?t=696569 Some one there said Send login data to remote site, and receive the response (result). You can either fopen/fget or cURL. Extract the PHP session ID from the result and put it in a variable like $session. Redirect the user to the remote site, with the session ID: header("location: http://website.tld/after_succesful_login_page.php?PHPSESSID=$session") Do you think this is possible? Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted December 5, 2010 Share Posted December 5, 2010 that is the only way i could think of to accomplish this. but it assumes the target site 1. will send PHPSESSID for you to use, 2. will take PHPSESSID from the URL and/or 3. is 'dumb' enough to let something like that work. it's essentially session highjacking. i don't know if apache and/or other web servers look for this stuff or not. it seems so obvious that i would expect there to be protection in place against it. a major concern is the sudden change of IP address from the server that logged in and the web browser that goes to the site afterward. also: user agent will change unless you adapt the user agent of the web browser before the login..... i am still very skeptical.. Quote Link to comment Share on other sites More sharing options...
hotdog1983 Posted December 5, 2010 Author Share Posted December 5, 2010 Thanks again for your reply. I really appreciate it. When I look at the HTTP headers, I see Set-Cookie: PHPSESSID=2btu73afurcpm632sr9dsqpjo2; path=/ I'm not really sure how sessions work.. How do I test if the target site takes session ID from URL? Can I type like www.3rdparty.com/index.php?PHPSESSID=2btu73afurcpm632sr9dsqpjo2 on a different browser like Chrome while I'm logged in on Firefox? Arggggg this is driving me crazy. I got my contact mail form page secured, signup page secured using cURL, and it's going to be funny to see my login page sending plain text data lol. What can I do if I don't have any control over the target site's security policy? I just wanted to make it a bit safer at least at the user end. Thanks again BlueSkyIS, hope you have a good one. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.