How to fix 'Please enable cookies' Cloudflare error using PHP Curl

Question

When using postman locally on my machine, I am able to send the request no problem and get a response back. Because of the invalid token I am sending the api, I should receive this back.

{
    "status": "Error",
    "message": "Invalid API Token"
}

Using postman's utility to generate php curl code to make this request I get this.

$curl = curl_init();

curl_setopt_array($curl, array(
    CURLOPT_URL => "https://app.mobilecause.com/api/v2/reports/transactions.json",
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_ENCODING => "",
    CURLOPT_MAXREDIRS => 10,
    CURLOPT_TIMEOUT => 30,
    CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    CURLOPT_CUSTOMREQUEST => "GET",
    CURLOPT_POSTFIELDS => "",
    CURLOPT_COOKIESESSION => true,
    CURLOPT_COOKIEFILE => "cookie.txt",
    CURLOPT_COOKIEJAR => "cookie.txt",
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_HTTPHEADER => array(
        'Authorization: Token token="test_token"',
        "Content-Type: application/x-www-form-urlencoded",
        "cache-control: no-cache",
    ),
));

curl_setopt($curl, CURLOPT_VERBOSE, true);

$response = curl_exec($curl);
$err = curl_error($curl);

curl_close($curl);

if ($err) {
    echo "cURL Error #:" . $err;
} else {
    echo $response;
}

Running this code on my webserver results in a page body returned that is a cloudflare landing page, specifically this.

Please enable cookies.
One more step
Please complete the security check to access app.mobilecause.com
Why do I have to complete a CAPTCHA?
Completing the CAPTCHA proves you are a human and gives you temporary access to the web property.

What can I do to prevent this in the future?
If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware.

If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices.

Cloudflare Ray ID: RAY_ID • Your IP_REDACTED • Performance & security by Cloudflare

I cannot explain why this happens. I have a valid 'cookie.txt' that is getting written to, but it seems like it is missing content.

The cookie that curl writes through this request stored in 'cookie.txt' looks like this. (Redacted potentially sensitive information.)

#HttpOnly_.app.mobilecause.com  TRUE    /   FALSE   shortStringOfNumbers    __cfduid    longStringOfNumbers

The cookies generated by postman when executing the command through postman look like this. (Redacted potentially sensitive information.)

__cfruid=longStringOfNumbers-shortStringOfNumbers; path=/; domain=.app.mobilecause.com; HttpOnly; Expires=Tue, 19 Jan 2038 03:14:07 GMT;
__cfduid=longStringOfNumbers; path=/; domain=.app.mobilecause.com; HttpOnly; Expires=Thu, 23 Jan 2020 04:54:50 GMT;

Essentially it seems like the php request is missing the '__cfruid' cookie. Could this be the cause?

Copying this exact code into http://phpfiddle.org/ produces this same cloudflare landing page. Running this locally on my machine produces the expected result.

Answer 1

You're running into a Managed Challenge: https://developers.cloudflare.com/fundamentals/get-started/concepts/cloudflare-challenges/

The key question here is whether you own the zone. The site owner can add a managed challenge for pretty much any reason as part of their WAF: https://developers.cloudflare.com/waf/ . We could speculate about whether it's due to your traffic being deemed a bot or maybe they're blocking based on your user agent string. You don't have control over managed challenges that are served to you if you don't own the domain in Cloudflare.

If you are the site owner, you can determine which rule is causing this Managed Challenge by taking the Cloudflare rayID and filtering for it in Security > Overview. You can then add a bypass to your firewall rule to exclude this PHP curl traffic.