Is there a way to open the content of a page via php, using the cookies stored in the browser?

Question

I have a web-site based on PHP, to which I would like to add a members-only area. Instead of creating my own registration/login pages, I would like to make a piece of code which will look if the user is logged on a particular site (for simplicity, we could assume that this site is Facebook) and if yes, allow him to navigate on my site. If no, tell him to log on on that site and come back after that.

I would like to accomplish this by making my site open a page on that site, that has a welcome screen if the user is logged in or requires the username/password otherwise. By analyzing the content of that page, I would be able to see if the user is logged in or not.

I have tried to achieve this by using CURL (see the code below), but did not succeeded, as even if the user was logged in on that site via the same browser, when opening my site it was shown as if he wasn't. I suppose that the problem is in the cookies, as I have somewhere read that while making CURL requests the cookies saved in the browser are not available.

Is there any way to make a PHP script open a page from another site, using the cookies stored in the browser (the cookies were created previously by that site)?

Here is the PHP code from my site:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'www.my-site.com');
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($ch, CURLOPT_USERAGENT, 'User agent');
$data = curl_exec($ch);
echo($data);

Answer 1

Your users' browsers will not send you their facebook cookies. Without these, you cannot implement your plan. If you could get them, you'd have effectively hacked the person's facebook account, which you don't want to do, right?

Try OpenID, used by such sites as stackoverflow.com.

Answer 2

You can't get cookies that weren't set by your site (or one on the same domain).

From http://en.wikipedia.org/wiki/HTTP_cookie#Privacy_and_third-party_cookies :

"Cookies have some important implications on the privacy and anonymity of Web users. While cookies are sent only to the server setting them or the server in the same Internet domain, a Web page may contain images or other components stored on servers in other domains. Cookies that are set during retrieval of these components are called third-party cookies. This includes cookies from unwanted pop-up ads."

OpenID is a decent way to deal with this. Zend supposedly has a decent library for doing this (though I haven't tried it myself): http://devzone.zend.com/article/3581

Update: Here's an article I found using cURL, since you said you're already using that: http://www.110mb.com/forum/tip-how-to-use-simple-openid-t30219.0.html

Answer 3

First, this is an absolutely horrible way to handle login for your website.

Second, if it's actually Facebook that you want to use, they have an API you can look into to find out if your user is logged in.

Third, CURL can only store and use cookies present on the machine that the code runs on - that's your server, not your user's computer.

If you really can only server users that are registered at another site, try to cooperate with that site in some way. Otherwise, you can ask your users for their username and password to the other site, then attempt to login with CURL from your server to see whether the username and password are valid.

Answer 4

I actually think this is a really good question. So here are some thoughts.

First, cookies are explicitly designed not to allow this to happen. Think about it: when you go to facebook.com from home, then that's great - fbook uses cookies to keep track of your login status and that cookie is bound to your browser session. Someone else checking facebook from their office would have no knowledge of your login - because it's just a completely different request from a different browser on a different computer with a different IP address and a different set of cookies. So far so good.

So think about it: you log onto facebook from your computer. Now you open up this special web page - which is trying to use cURL to see information about your session (whether or not you're logged in.)

Well "opening a curl session" is equivalent to "opening a browser session" - right? Only your "web browser" has a different interface - commandline versus gui.

Which means that cURL is effectively a separate entity from a separate domain opening facebook, just like the office worker checking their page is totally independent from yours.

Moreover, cookies are implemented in browsers such that one domain (user382155.com) is not allowed to access cookies from another domain (facebook.com). This is for security reasons.

So how can you accomplish this? Here are some ideas. (Some of these are bad ideas. But the idea is to start thinking about solutions.)

1. You could run your cURL script on the same computer as your web browser. You know, run a web server locally. Then you could play with apache/php settings so that your PHP script can access your browser's cookie files. Then your script could use that cookie information to determine whether or not to let you log on. Or redirect you to a website on your own domain (bad idea). Or something.

2. You could use some clever firefox extension or greasemonkey script to do this "cross site scripting" for you - to check the status of facebook cookies and use that to auth your own website. This is in line with the previous suggestion. The problem is that you need the client to install a script of some sort. You might be able to do something clever with javascript but I doubt it - that's exactly what an "XSS" attack is.

3. You could monitor the login process of facebook and try to reverse-engineer what it's doing. I'd recommend LiveHTTPHeaders to help with this. Then you could have your web form get the fbook username/password and then use cURL to "mimic" the login process using that information. This might be against facebook's policies. (of course, substitute "facebook" with whatever website you're interested in. In the case of Facebook, this is explicitly against their policies.)

None of these are great solutions (and they're insecure, probably violate ToS, blahblahblah). You're trying to do something which the web is explicitly designed not to do.

After all that, to answer your question: no, there is not a way for one domain to access the cookies of another domain. (But you can sure try!)