I have a web-site based on PHP, to which I would like to add a members-only area. Instead of creating my own registration/login pages, I would like to make a piece of code which will look if the user is logged on a particular site (for simplicity, we could assume that this site is Facebook) and if yes, allow him to navigate on my site. If no, tell him to log on on that site and come back after that.
I would like to accomplish this by making my site open a page on that site, that has a welcome screen if the user is logged in or requires the username/password otherwise. By analyzing the content of that page, I would be able to see if the user is logged in or not.
I have tried to achieve this by using CURL (see the code below), but did not succeeded, as even if the user was logged in on that site via the same browser, when opening my site it was shown as if he wasn’t. I suppose that the problem is in the cookies, as I have somewhere read that while making CURL requests the cookies saved in the browser are not available.
Is there any way to make a PHP script open a page from another site, using the cookies stored in the browser (the cookies were created previously by that site)?
Here is the PHP code from my site:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'www.my-site.com');
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($ch, CURLOPT_USERAGENT, 'User agent');
$data = curl_exec($ch);
echo($data);
I actually think this is a really good question. So here are some thoughts.
First, cookies are explicitly designed not to allow this to happen. Think about it: when you go to facebook.com from home, then that’s great – fbook uses cookies to keep track of your login status and that cookie is bound to your browser session. Someone else checking facebook from their office would have no knowledge of your login – because it’s just a completely different request from a different browser on a different computer with a different IP address and a different set of cookies. So far so good.
So think about it: you log onto facebook from your computer. Now you open up this special web page – which is trying to use cURL to see information about your session (whether or not you’re logged in.)
Well “opening a curl session” is equivalent to “opening a browser session” – right? Only your “web browser” has a different interface – commandline versus gui.
Which means that cURL is effectively a separate entity from a separate domain opening facebook, just like the office worker checking their page is totally independent from yours.
Moreover, cookies are implemented in browsers such that one domain (user382155.com) is not allowed to access cookies from another domain (facebook.com). This is for security reasons.
So how can you accomplish this? Here are some ideas. (Some of these are bad ideas. But the idea is to start thinking about solutions.)
You could run your cURL script on the same computer as your web browser. You know, run a web server locally. Then you could play with apache/php settings so that your PHP script can access your browser’s cookie files. Then your script could use that cookie information to determine whether or not to let you log on. Or redirect you to a website on your own domain (bad idea). Or something.
You could use some clever firefox extension or greasemonkey script to do this “cross site scripting” for you – to check the status of facebook cookies and use that to auth your own website. This is in line with the previous suggestion. The problem is that you need the client to install a script of some sort. You might be able to do something clever with javascript but I doubt it – that’s exactly what an “XSS” attack is.
You could monitor the login process of facebook and try to reverse-engineer what it’s doing. I’d recommend LiveHTTPHeaders to help with this. Then you could have your web form get the fbook username/password and then use cURL to “mimic” the login process using that information. This might be against facebook’s policies. (of course, substitute “facebook” with whatever website you’re interested in. In the case of Facebook, this is explicitly against their policies.)
None of these are great solutions (and they’re insecure, probably violate ToS, blahblahblah). You’re trying to do something which the web is explicitly designed not to do.
After all that, to answer your question: no, there is not a way for one domain to access the cookies of another domain. (But you can sure try!)