5

We use CURL to automate some administrative tasks on a web application that uses SSO cookie for all the sites on the domain. Recently, there was a change in the authentication system on the application that we had been automating with. That's fine. We changed the CURL script to conform to the new authentication. We are able to get cookies and save to the jar.

The problem is the way the cookie is saved. I looked at how the headers in Google Chrome and Mozilla Firefox and the response headers are the same that I see in CURL. However the cookie in the cookie jar isn't saving the cookie in a way that it can be sent to the subsites in the Domain.

The CURL Example is as follows:

curl -c mycookie "https://login.example.com" -d loginUID=myusername -d loginPWD=mypassword

The format it's saving is:

login.example.com FALSE / TRUE SSOCookie automatedvalue

The cookie will be consumed by the subsites if we manually change the cookie to:

.example.com TRUE / TRUE SSOCookie automatedvalue

I'm not sure why the cookies would be saved as such.

Does anyone know what would cause CURL to save the cookies as such? Or if there is a work around other than manually/scripting a change to be used for the entire domain?

Note: When I do a -v on setting the cookies. It says *Replased cookie SSOCookie "uniquecookieid" for domain login.cat.com

Thank you,

Improve this question
5
  • Can you provide an example of the CURL you're using to set the cookie? Commented Dec 6, 2013 at 18:37
  • I went ahead and added an example. Here it is: curl -c mycookie "login.example.com" -d loginUID=myusername -d loginPWD=mypassword Commented Dec 7, 2013 at 4:20
  • Since it's reading the remote cookie in this case, there's not really much you can do about it; the problem lies with the cookie you're retrieving. Are you able to change the way cookies are generated on the site itself? if not, you're going to be stuck writing something to parse and correct the cookies once they're downloaded. Commented Dec 7, 2013 at 4:34
  • That's what I was afraid of doing. One thing I figured out is if I use --dump-header header, I can use -b to send the header as a cookie and that works. The problem is the sub site also sets a session cookie, and I can't save and use both cookies Commented Dec 7, 2013 at 5:12
  • Right, exactly. If you're doing this purely with curl, I think you're SOL. What about using the CLI version of php and writing the cookie into curl that way? Commented Dec 7, 2013 at 5:37

1 Answer 1

Reset to default
8

After spending two weeks and many hours I finally found the solution. The reason the cookie wasn't being set was because the server checked to see where the request was being made from. In the curl command I added a --referer to the domain of the site.

curl -c mycookie "https://login.example.com" -d "loginUID=myusername" -d "loginPWD=mypassword" --referer "https://login.example.com"

The cookie jar now contains a cookie that can be used to send to the server.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

How would this work for subdomains like login-other.example.com? Or in your situation, could you pass example.com and it would work?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.