CODEWITHSUNDEEP
authenticationcurlcookies
Pierre Michard
Pierre Michard

Reputation: 1391

use curl with cookies

I'm trying to use curl to authenticate my web server on order to do some secured requests using curl.

To authenticate I use the following command:

curl -c cookie.txt -H 'Content-Type: application/json' --data -d "{\"admin_user\" : { \"email\" : \"[email protected]\", \"password\" : \"very_secured\"}}" -X POST http://localhost:3000/admin/login

The authentication works well. I see that the server creates a new session Id. 

UPDATE "admin_users" SET "last_sign_in_at" = '2015-11-12 19:41:32.927958', "current_sign_in_at" = '2015-11-12 20:04:32.798444', "sign_in_count" = 317, "updated_at" = '2015-11-12 20:04:32.861759' WHERE "admin_users"."id" = 13

So I then try to reuse the cookie I receive from the response to retrieve some data from my server:

curl -b cookie.txt  'http://127.0.0.1:3000/admin/my_secured_page'

Nevertheless I get redirected back to the login page with an error 401: Completed 401 Unauthorized in 4.6ms

I tried to compare what I'm doing with what Firefox and Chrome do but I don't see any difference on the authentication procedure.

When I use a cookie retrieve by Chrome or Firefox it works, but the ones generated by curl don't.

I even tried to edit a cookie generated by curl to edit the session id to a session Identifier copied from a chrome cookie, and that works too.

When I compare on the request headers the cookie returned by the login page and the one I send to the secured page, they have the same value.

does anybody have any clue on what I'm doing wrong?

Upvotes: 2

Views: 4975

Answers (1)

Pierre Michard
Pierre Michard

Reputation: 1391

I found the issue by myself, the authentication page contains an authenticity token which should be passed to the authentication request.

To solve this issue python requests saved my life by making it easy:

import requests
import re
from urlparse import urljoin

session = requests.session    
url = urljoin(server_url, 'admin/login')
r = session.get( url)
matchme = 'meta content="(.*)" name="csrf-token" '
csrf = re.search( matchme,str(r.text))

session.post( url, data={ 
        "admin_user[email]" : admin_email,
        "admin_user[password]" : admin_password,
        "authenticity_token" :  csrf.group(1),
        "commit" : "Login"
})

And that's done, we're now authenticated and we can use this session to browse as an authenticated user:

res = session.get(secured_url)

Upvotes: 1

Related Questions