简体繁体 English

如何通过PHP curl登录使用Facebook Connect的网站

[英]How to login in a website that uses facebook connect via PHP curl

原文 2010-12-28 10:14:49 9 2 php/ authentication/ cookies/ curl/ login

I need to login with my account with php curl in a website that uses facebook connect to login. 我需要在使用facebook connect登录的网站上使用php curl登录我的帐户。

I'll take as example site one of my favourite apps: Mousehunt 我将以我最喜欢的应用程序之一为例： Mousehunt

As you can see, it uses facebook (of course) to login: if you are already connected to facebook, it succeeds in automatic login, otherwise it popups facebook login. 如您所见，它（当然）使用facebook登录：如果您已经连接到facebook，它将成功自动登录，否则将弹出facebook登录。

How i can login into it with php curl? 我怎样才能用php curl登录呢？ I know some about curl & cookie (cookiejar, cookiefile, post etc) but not too much. 我知道一些关于curl和cookie（cookiejar，cookiefile，post等）的信息，但是了解得还不多。

Which is the target url to post data? 发布数据的目标网址是哪个？ How can i return to that site as user logged in? 用户登录后如何返回该站点？

2 个解决方案

Let me explain how this sort of FB login works. 让我解释一下这种FB登录的工作方式。 There is of course the alternate method used for desktop applications, which would make it possible, but this website doesn't use it. 当然，还有其他方法可用于桌面应用程序，这将使之成为可能，但是此网站未使用它。

So heres the deal: 所以这笔交易：

The login button opens a link on facebook servers containing the api key of the website and some arbitrary information. 登录按钮会在Facebook服务器上打开一个链接，其中包含网站的api密钥和一些任意信息。 So far so good. 到现在为止还挺好。 You could simulate that easily. 您可以轻松地进行模拟。

Then after accepting the privacy stuff you get redirected back to the website. 然后，在接受隐私内容后，您将被重定向回网站。 You can simulate that as well. 您也可以模拟它。

But then comes the burden: 但是随之而来的是负担：

The location you get redirected to contains an facebook token after the hashtag (#). 您重定向到的位置的井号（＃）后包含一个Facebook令牌。

The website can then read this token by Javascript and use it to query the facebook api to confirm your dientity. 然后，网站可以使用Javascript读取此令牌，并使用它来查询facebook api以确认您的身份。

The reason why this is done that way is easy: 这样做很简单：

Think about it. 想一想。 Everyone could fake a request in the name of the website and read your private data. 每个人都可以以网站的名义伪造请求并读取您的私人数据。 But everything after the hashtag is never readable by the server the request is directed to. 但是，将标签定向到请求之后，服务器将永远无法读取其后的所有内容。 The web browser just does not pass it and it would be violating http standards and cause an error. Web浏览器只是不通过它，它将违反http标准并导致错误。

The only way to access it is by javascript. 访问它的唯一方法是通过javascript。 And this can only be by the website serving the request (where facebook redirects to). 而且只能通过提供请求的网站（facebook重定向到该网站）进行。 And the domain where facebook redirects to is locked by the application key owner. Facebook重定向到的域由应用程序密钥所有者锁定。

You see javascript is an essential part of the security here. 您会在此处看到javascript是安全性的重要组成部分。

I think it is very insecure indeed because there are many possible explits, but its very easy which is a reason why this form of login is spreading so much in comparision to eg openid. 我认为这确实是非常不安全的，因为存在许多可能的漏洞利用，但是它非常容易，这就是这种登录形式与openid相比传播如此之多的原因。

So to sum it up: You need simulate a fully javascript enabled browser. 综上所述：您需要模拟一个完全启用JavaScript的浏览器。 It is partly possible but very complex and there are no out of the box solutions for that. 这在某种程度上是可能的，但是非常复杂，并且没有开箱即用的解决方案。

well, there might be a way. 好吧，也许有办法。 looks like facebook request don't sign the permission scope in any way. 看起来Facebook请求不以任何方式签署许可范围。 so this basically means you can grant the application/website more permission than they even asked for. 因此，这基本上意味着您可以向应用程序/网站授予比他们甚至更高的权限。

then you could grant the website permament permission - log in the usual way - and save the cookies. 那么您可以授予网站永久权限-以通常的方式登录-并保存cookie。

then you can send those cookies along with curl. 那么您可以将这些cookie和curl一起发送。 if the website uses servers side login authentication, which is very likely, you will still be logged in, because the access token is permament. 如果网站使用服务器端登录身份验证（很有可能），则您仍将登录，因为访问令牌是永久的。

however there is no guarantee for that hack to stay functional. 但是并不能保证该hack保持正常运行。