Logging In To Joomla 1.5 Using External Form (not within joomla folder, but on same server)

Robert picture Robert · Mar 3, 2011 · Viewed 7.4k times · Source

I currently have a Joomla 1.5 installation, as well as another website. They both reside on the same web server. They are in different folders within the wwwroot directory, however. I would like to place a login form within the non-joomla website, which will log the user in to Joomla. I have already tried copying and pasting the Joomla login form code into a page on the non-joomla site, and everything works fine up until the secret form value is not correct. Any help is greatly appreciated.

EDIT: Here is the code-

Contact form:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Untitled Document</title>
</head>

<body>
<form id="login" name="login" method="post" action="login.php">
  <label>
  <input name="username" type="text" id="username" value="username" />
  </label>
    <label>
    <input name="password" type="password" id="password" value="password" />
    </label>
  </p>
  <p>
    <label>
    <input type="submit" name="submit" id="submit" value="Submit" />
    </label>
  </p>
</form>
</body>
</html>

Login Script:

<?php
$uname = $_POST['username'];
$upswd = $_POST['password'];
$url = "http://www.mywebsite.com/joomla_site/index.php";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url );
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE );
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookie.txt');
curl_setopt($ch, CURLOPT_HEADER, FALSE );
$ret = curl_exec($ch);
if (!preg_match('/name="([a-zA-z0-9]{32})"/', $ret, $spoof)) {
    preg_match("/name='([a-zA-z0-9]{32})'/", $ret, $spoof);
}

// POST fields
$postfields = array();
$postfields['username'] = urlencode($uname);
$postfields['passwd'] = urlencode($upswd);
$postfields['lang'] = '';
$postfields['option'] = 'com_login';
$postfields['task'] = 'login';
$postfields[$spoof[1]] = '1';
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields);
$ret = curl_exec($ch);
?>

Answer

Brent Friar picture Brent Friar · Mar 6, 2011

Ok, in order for this to work here is what needs to be done -

  1. Create a new session and get the associated token
  2. Pass the username, password, and token to create a logged in session
  3. Get the new cookie values for logged in session
  4. Transfer cookie to the browser

Here is the code needed to accomplish all of this:

<?php
$uname = $_POST['username'];
$upswd = $_POST['password'];
$url = "http://joomla website.com";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url );
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE );
curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE );
curl_setopt($ch, CURLOPT_COOKIEJAR, realpath('./cookie.txt'));
curl_setopt($ch, CURLOPT_COOKIEFILE, realpath('./cookie.txt'));
curl_setopt($ch, CURLOPT_HEADER, TRUE );
$ret = curl_exec($ch);
if (!preg_match('/name="([a-zA-z0-9]{32})"/', $ret, $spoof)) {
    preg_match("/name='([a-zA-z0-9]{32})'/", $ret, $spoof);
}

// POST fields
$postfields = array();
$postfields['username'] = urlencode($uname);
$postfields['passwd'] = urlencode($upswd);
$postfields['option'] = 'com_user';
$postfields['task'] = 'login';
$postfields[$spoof[1]] = '1';
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields);
$ret = curl_exec($ch);

// Get logged in cookie and pass it to the browser
preg_match('/^Set-Cookie: (.*?);/m', $ret, $m);
$cookie=explode('=',$m[1]);
setcookie($cookie[0], $cookie[1]);
?>

This should work on any Joomla website as long as the URL used in the script has a login form on the page. Once you run this script you should then be able to access the website and be logged in.