Using cURL to log into ExpressionEngine
Development and Programming
Two questions… I’ve (finally) successfully logged in using a small cURL script I found online:
<?php
$url ="http://myeesite.com/index.php/login-template/";
// need to replace username and password with variables...
$curlPost = 'ACT=11&RET=path/template&username;='.urlencode('xxx').'&password;='.urlencode('xxx').'&submit=Submit';
// set a handle and starts cURL session
$ch = curl_init();
// set the url
curl_setopt($ch, CURLOPT_URL, $url);
// return server header response
curl_setopt($ch, CURLOPT_HEADER, 1);
// don't send the response straight to the browser...
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
// send the form response via POST
curl_setopt($ch, CURLOPT_POST, 1);
// try any authentication
//curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt ($ch, CURLOPT_COOKIEJAR, 'widget_cookie.txt');
curl_setopt ($ch, CURLOPT_POSTFIELDS, $curlPost);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;
?>However, I was forced to disable secure forms so that XID was not required.
Question 1: Has anyone ever done this without disabling secure forms?
I’m trying to help a team of software developers figure out how to have their application log in and access an XML feed of graphics and add-ons from ExpressionEngine. Each license holder will have a member profile within ExpressionEngine so, in theory, it should be possible. I’ve set $url in the code above to point to a template with a special login form that returns to my XML file. It works within a web browser, but I have no idea how the software team will integrate that into their application.
Question 2: Does anyone have a better idea of how to achieve this?
I’m certainly not looking to get any full-blown solutions, but I’d certainly appreciate some honest advice or plain ol’ wisdom.
Thanks, addison
you could ping a page with a login form on it to scrape a valid XID hash and send that in your login attempt perhaps.
Thanks, Ty – I’ll check that out. I’ve heard of people scraping blogs and such, but I never imagined it for a use like this.
I usually achieve this by using templates with “Enable HTTP Authentication” turned on. Then you can just have them ping the url with the username and password, like: http://username:[email protected]/template/
Rob, that’s the route the software engineers were hoping to take, but I had no idea it was there – thank you!
However, it appears that user data like screen_name and email are not available with this method. Is there any way around that?
However, it appears that user data like screen_name and email are not available with this method. Is there any way around that?
I had no idea about that. Is {member_id} or {logged_in_member_id} available? If so, then you can probably use the custom profile data tag with the member_id param.
Nope. Neither is available. I can get the username with:
$_SERVER['PHP_AUTH_USER'];but I need the ID to get the other member info.
I’ll keep tinkering and see if I need to go back to cURL. Thanks.
Well, I think we’re settling on HTTP authentication since it’s more straightforward and feels less “hacky” than using the cURL stuff. We’ll use the PHP variable for getting the username for tracking and be happy with that. Thanks for your help, guys.
-Addison