Gmail/Facebook without username/password - PHP Login Header Problem

views:

1279

answers:

Gmail/Facebook without username/password - PHP Login Header Problem

Hi all.

I want to create my own personal login gateway into Gmail/Facebook/any other site. In this gateway I enter my master username and password, then I can choose where to login (gmail/facebook/etc) without entering those usernames because they are stored on the server.

I tried to implement this by using cURL to send POST request with the headers and post data sent in Firefox during regular login. However, this doesn't work for neither facebook or gmail.

Has anyone tried this or have an idea about why this doesn't work?

Thanks.

// Edited I am thinking the problem that it doesn't work lie in the fact that the IP address of the php server which sent the curl request to gmail is different from my browser's so, when the response from the gmail server is fed back to the browser, it still cannot authenticate.

Or is that the cookie I sent using curl to Gmail server actually changes according to time.

This is not necessarily feasible, Gmail and Facebook may be doing very simple checks to see who the referer is and when it comes from your site rather than their own login page refuses to login. This is basic security checks.

You would need to look at their api to see if you can do anything, or possibly you could use javascript and a firefox plugin to write your username and password to the webform then submit the form, a bit of a hack but might do what you want.

Toby Allen 2009-12-13 09:08:16

Thanks for your response. I understand your alternative. However, what I really want to do is that, I want to login to Gmail without entering the real username/password from any computer.Besides, I believe that the basic to login to Gmail/Facebook is to send a proper request header and post data. I think it is still doable?

Tony 2009-12-13 09:11:59

There is no reason why the cURL method you tried wont work with the correct headers. playing around scraping sites like digg.com i found i needed a valid USER AGENT header and of course an appropriate REFERER URL, keep going with the curl technique if that will work best for you overall. use an http header add-on to firefox to see what headers you are sending to gmail and then fake them completely.

Question Mark 2009-12-13 09:20:33

Thanks for the reply. Problem is that the request header is sent by PHP and I can only see the response request on Firefox. The response is actually from the Login page which asks me to login because the header I sent is not correct. So its a bit hard to see why this doesn't work.

Tony 2009-12-13 09:25:28

I mean use FF to log in normally just once to have a look at the request and response, copy that and try to emulate those headers in cURL

Question Mark 2009-12-13 09:28:49

Thanks that's what I did. I copied the request header from LiveHttpHeader addon of ff but this set of headers seem not making the things correct. I am stuck :(

Tony 2009-12-13 09:32:31

Hi Tony,

Tryusing firebug to find out what the response returned, It should always give you the best lead.

I see no reason why it wont work, I read my Gmail and analytics with Curl.

Digital Craft Studios 2009-12-13 09:21:46

Thanks for the reply. Problem is that the request header is sent by PHP and I can only see the response request on Firefox. May I ask is there special headers need to be sent? I suspect that maybe the browser missed some cookie to sent after php sent the request?

Tony 2009-12-13 09:26:40

you should check this resouce: http://www.askapache.com/webmaster/login-google-analytics.html should serve as a good lead

Digital Craft Studios 2009-12-13 09:39:27

Have you configured curl to accept and store cookies? Usually once you've been authenticated for an online service it will send you a security token in the form of a cookie that you can send back with every subsequent request to verify your authorisation.

cxfx 2009-12-13 09:40:30

Based on your reply to my comment cURL is useless for your problem. You need to authenticate your browser with your services (gmail, facebook, ...), what you are doing now is authenticating your script (or your server).

You will have to use JavaScript to accomplish what you want. If you store your credentials for the services on your server, then send them back to the client once you successfully log-in into your webpage. Then you could create a hidden iframe with the "src" attribute set to the login page of the chosen service. Once the iframe loads you can fill the login information (username/password) into the appropriate fields and submit the form. Once this is complete you should be loged-in into your services. There are probably some other techniques but this is the first that springs to mind ...

Jan Hančič 2009-12-13 13:54:55

So what you mean is that the following won't work: First login to my script using my user/pass, once my script check this info, then it send POST request using curl to Gmail with the stored user/pass and pass the response header and data back to browser?? Is it because the post request was sent from the server instead of the browser?

Tony 2009-12-13 14:20:36

Nope it won't work. Browser must create the request so that it gets the proper cookies and you can't create a cookie for some other domain.

Jan Hančič 2009-12-13 14:33:39

Thanks for your reply. So the key lies in the domain specific property of cookies.

Tony 2009-12-13 14:51:43

I'm not sure what you mean by "domain specific property of cookies"

Jan Hančič 2009-12-13 14:54:22

meaning cookies are domain specific, only works on a domain as it is set

Tony 2009-12-13 15:27:56

yes off course, that's what I said :)

Jan Hančič 2009-12-13 15:41:41

ansaurus

tags:

views:

answers:

Gmail/Facebook without username/password - PHP Login Header Problem

related questions