cURL：两个单独的请求，相同的会话 [英] cURL: two seperate requests, same session

问题描述

我有一个脚本从外部网站下载并显示网页。该网站生成一次性令牌并将其存储在隐藏的表单字段中，并将相同的令牌放入发送给用户的Cookie中。在我的第一个cURL请求中，我存储了Cookie：

I have a script that downloads and displays an web page from an external site. The site generates a one-time token and stores it in a hidden form field, and puts the same token in the cookie it sends to the user. In my first cURL request, I store the cookie:

$url = 'http://www.example.com/form.php';
$host = parse_url($url, PHP_URL_HOST);
$referer = 'http://' . $host;
$ip_address = $_SERVER['REMOTE_ADDR'];

// Give the user a unique cookie file for each request
$cookie_file = 'cookies/' . sha1($ip_address . $agent . $url) . '.txt';

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HTTPGET, 1);
curl_setopt($ch, CURLOPT_AUTOREFERER, 1);
curl_setopt($ch, CURLOPT_REFERER, $referer);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
curl_setopt($ch, CURLOPT_COOKIESESSION, false);

$file = curl_exec($ch);

这很好，它正确地创建了cookie文件，当我打开它，它有

This works fine and it correctly creates the cookie file, and when I open it up, it has the one-time token in it, and it matches the token in the hidden form field.

当我提交表单时，我使用相同的cookie进行另一个cURL请求：

When I submit the form, I make another cURL request, using the same cookie:

$ch = curl_init($url);

$postdata = http_build_query($postdata);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
$ip_address = $_SERVER['REMOTE_ADDR'];
$cookie_file = 'cookies/' . sha1($ip_address . $agent . $url) . '.txt';
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file);
curl_setopt($ch, CURLOPT_AUTOREFERER, 1);
curl_setopt($ch, CURLOPT_REFERER, $referer);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$response = curl_exec($ch);

Cookie文件名称应该与第二次相同，因为用户的ip，代理和目标原始网址没有改变。我已验证它不会为请求创建第二个Cookie，并且不会覆盖第一个Cookie。

The cookie file name should be the same the second time around, since the user's ip, agent, and target original url haven't changed. I've verified that it doesn't create a second cookie for the request and doesn't overwrite the first one.

但是当我提交表单时，CSRF验证失败，即使我没有更改隐藏表单字段，它匹配cookie中的一次性令牌，我将HTTP引用设置为目标网址。是否有其他原因CSRF检查将失败？它是不是使用cookie在第二个请求有一些原因吗？任何帮助，感谢：）

But when I submit the form, the CSRF validation fails, even though I didn't change the hidden form field, and it matches the one-time token in the cookie, and I set the HTTP referer to the target url. Is there some other reason why the CSRF check would fail? Is it not using the cookie in the second request for some reason? Any help is appreciated, thanks :)

推荐答案

您可能必须重新定义您的变量。您的 $ agent 和 $ url 不是秒的cURL请求。

You might have to redefine your variables. Your $agent and $url are not there in seconds cURL request.

这篇关于cURL：两个单独的请求，相同的会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！