Logging into Microsoft Live does not return expected "302" with CURL: does the server know that PHP is used?

Question

I'm using PHP to login into my microsoft account and perform an action or two. I've so far realised that you need a PPFT token as CSRF token to login into microsoft. I'm doing this:

$PPFT = file_get_contents('http://login.live.com');

preg_match('/id\="i0327" value\="(.*?)"\//', $PPFT, $key);

$ch = curl_init('https://login.live.com/ppsecure/post.srf');
$query = http_build_query(array('login' => 'MY_EMAIL_ADDRESS@gmail.com', 'passwd' => '_MY_EMAIL_ADDRESS_PASSWORD', 'PPFT' => "{$key[1]}"));
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_NOBODY, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // for https
curl_setopt($ch, CURLOPT_POSTFIELDS, $query);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36','Origin: https://login.live.com','Content-Type: application/x-www-form-urlencoded; charset=UTF-8','Referer: https://login.live.com/'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$result = curl_exec($ch);

curl_close($ch);

var_dump($result);

It gives me:

string(512) "HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Length: 6777
Content-Type: text/html; charset=utf-8
Expires: Fri, 20 Feb 2015 15:33:19 GMT
Server: Microsoft-IIS/8.5
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
Set-Cookie: MSPOK=$uuid-49105e9d-c262-4b46-9fa7-710d3058e6fe; domain=login.live.com;secure= ;path=/;HTTPOnly= ;version=1
X-Frame-Options: deny
PPServer: PPV: 30 H: BAYIDSLGN1B021 V: 0
Date: Fri, 20 Feb 2015 15:34:19 GMT
Connection: close

which is certainly not OK.

If you are complaining about more headers, then see this image.

Using jquery (javascript). I can login into my own account by running this javascript on https://login.live.com

x = document.createElement('script');
x.src = 'https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js';
document.body.appendChild(x);

$.post('https://login.live.com/ppsecure/post.srf', 
{ 
login: 'MY_EMAIL_ADDRESS@gmail.com', 
passwd : 'MY_PASSWORD', 
PPFT : 'Cke!8IRbHV6V95QHkcbjUrMQWetwe7vQchGSnm1*l8NpcMMCeTqAGLZ8xjeFF7NzHJ3enl6ycLRUn0iCgoncbOPyLNPozOq2miY33O0TKGMRZWm70T*7PyslhBIJxvHumMpWH7tbEcIU0HRWs7cgdchinYgQzt85aoktbtrJTTz72Vo5qltscLxChJeOZ73mcg$$' 
}, 
function(data, status, xhr) { console.log(data+"\n"+status+"\n"+xhr.getAllResponseHeaders()); 
});

And it works fine. Check this screenshot:

But on PHP, it simply looks like microsoft knows that I'm using PHP. Howcome I can login with javascript $.post request but not PHP? Is this because I'm requesting the PPFT token from file_get_contents and POSTing data with cURL? But the HTML of cURL has same tokens as of file_get_contents(). So what's wrong?

• Please help me. I'm struck in this since 4 hours! :(

Answer 1

It looks like you are missing the redirect in the Curl. jQuery is in the browser so it will automatically follow the redirect. Curl on the other hand by default does NOT follow redirects.

Add this to your PHP curl request and give us the result

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

---

Follow up.

I've tried to do this a variety of ways and it does not seem to be working. I even fetched the entire page for the login, displayed it on my server, and then filled it in correctly and submitted and it gets rejected for bad login credentials.

My guess is that Microsoft is checking the remote client address and making sure that the submission is actually coming from a microsoft login webserver and not just anywhere. This seems very reasonable to me.

If my assumption above is correct then you will need to use something more like a crawler to get to the content. Most microsoft sites I visit are javascript heavy, which means you need a javascript enabled crawler. That's gonna have to be a new question. Here's a link to a question about that Make a JavaScript-aware Crawler or this one Web crawler Parsing PHP/Javascript links?