PHP curl - posting asp.net viewstate value

php asp.net authentication curl viewstate
Mark Jones picture Mark Jones · Jul 16, 2010 · Viewed 13.9k times · Source

I have the following code to login into an external site application (asp.net app) from a local site login form (written in php):

<?php
$curl_connection = curl_init('www.external.com/login.aspx');

curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($curl_connection, CURLOPT_USERAGENT,
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);

// Post data array
$post_data['LoginControl$UserName'] = 'ExampleUName';
$post_data['LoginControl$Password'] = 'ExamplePWord';

// Add form fields into an array to get ready to post
foreach ($post_data as $key => $value) 
  {
$post_items[] = $key . '=' . $value;
  }
$post_string = implode ('&', $post_items);

// Tell cURL which string to post
curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_string);

// Execute and post
$result = curl_exec($curl_connection);
?>

I get directed to the login form of the external site instead of being directed to the application logged in. I think the problem is that I need to pass the viewstate values through, but i'm not sure how to go about doing that?

I don't have control over the external application. But we want users to be able to login to the application through our website, to maintain branding etc.

I've posted a couple of other threads recently about the use of php cURL, but I'm at the stage now where I think the viewstate is the problem ...

Thanks, Mark.

Answer

Ed Robinson picture Ed Robinson · Oct 4, 2010

This seems to be a real problem when trying to scrape the asp.net pages.

The pages contain a hidden field named "__VIEWSTATE" which contains a base64 encoded set of va;ues containing some or all of the page state when the page was sent. It usually also contains the SHA1 of the viewstate.

What this means is that your post must contain everything in the _VIEWSTATE or it will fail.

I have been able to post a simple login page that has only 2 fields but not a more complex page in which the author has chosen to put the entire page state in the viewstate.

As yet I have not been able to come up with a solution.

Related questions

Can PHP and ASP.Net run together within the same web site in IIS 7.5?

A portion of our site is done in PHP and a portion of our site is done in ASP.Net. We just set up a new web server with Windows Server 2008 R2 which has IIS 7.5 installed. I understand that IIS 7+ …

Read More
What is the ASP.Net equivalent to PHP's Echo?

I want to 'echo' a string separated by delimeters like: sergio|tapia|1999|10am the Body of an HTML page. How can I achieve this? Thank you!

Read More
How to recognise adult content programmatically?

I am currently developing a website for a client. It consists of users being able to upload pictures to be shown in a gallery on the site. The problem we have is that when a user uploads an image it …

Read More