使用cURL的PHP​​ NTLM会话

Question

So a little trivia first..

There is written in ASP.NET website, which uses NTLM protocol to authenticate users that want to log in. It's perfectly ok when they normally use it, they type in website URL, they provide their credentials, authenticate and maintain session in web browser.

What I want to do, is create PHP website that will act as bot. It is my companys internal website and I am approved to do so. The problem I run into, is managing session. Users will be able to type in their credentials in my PHP website, and my PHP website will authenticate them to target site, using cURL.

The code I got so far is:

    $cookie_file_path = dirname(__FILE__) . '/cookies.txt';
    $ch = curl_init();

    //==============================================================
     curl_setopt($ch, CURLOPT_USERPWD, $username. ':' . $password);
     curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
     curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
     curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
     curl_setopt($ch, CURLOPT_URL, $url);
     curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
     curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
     curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
     curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
     curl_setopt($ch, CURLINFO_HEADER_OUT, true);
     curl_setopt($ch, CURLOPT_FAILONERROR, 0);
     curl_setopt($ch, CURLOPT_MAXREDIRS, 100);
    //=============================================================
    $ret = curl_exec($ch);

Above code logs in to target website by cURL (which manages NTLM handshake, as it seems), and fetches websites content. It also stores Session ID that is sent back in cookie file.

What I'm trying to do next, is comment the CURLOPT_USERPWD option, in hope that this script will use session ID stored in cookie file to authenticate previously logged in user in second execution of this script. It could get rid of user credentials and do not store it anywhere that way, becouse it is not safe to store it in manually created session, database, or anywhere else.

I need this becouse bot will be using CRON to periodically check if website status has changed and perform some user actions as reaction to this. But to do this, user first must be authenticated, and his username and password must not be stored anywhere, so I have to use session information estabilished when he initially logged in.

CURL seems to NOT DO THIS. When I execute script second time with commented CURLOPT_USERPWD option, it does not use stored cookie to keep beeing authenticated. Instead, it REWRITES cookie file with not relevant data send to me from service as response to NOT AUTHRORISED access request.

My questions are: Why cURL doesnt use stored session information to keep beeing authenticated? Is there any way to maintain this session with cURL and NTLM protocol based website?

Thanks in advance.

Answer 1

A few Month ago I had a similar problem then you. I tried to get a connection to a navision soap api. Navision use the ntlm authentication. The problem is that curl doesn't native support ntlm so you have to do it yourself.

A blog post that helped me a lot in this situation was the following:

http://rabaix.net/en/articles/2008/03/13/using-soap-php-with-ntlm-authentication

** Edit

Sorry i misread you question. You problem is simple.

Just receive the header from a request with this line

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

You can then get from the result of curl_exec function, the Set-Cookie header.

preg_match('/^Set-Cookie:\s*([^;]*)/mi', $ret, $match);
$cookie = parse_url($match[0]);

Now you can store it somewhere, and use it on the 2ten request.

Answer 2

I have the same problem and i solved it using curl_setopt($ch, CURLOPT_COOKIEFILE, ""); line of code. The string should be exactly empty .