0

I'm playing a bit with Php recently and came across an error I coundn't help my self. So i wrote in Python the follwing Code:

import os
import requests
import urllib

s = requests.Session()
s.get('https://profile.callofduty.com/cod/login')
data = {'username': 'My@Email.com',
        'password': 'myPassword',
        'remember_me': 'true',
        '_csrf': s.cookies['XSRF-TOKEN']}
s.post('https://profile.callofduty.com/do_login?new_SiteId=cod', params=data)

print(s.cookies)

For Obivous reasons this aint my real data.

In Php I wrote the following:

<?php

var_dump($_POST["X-CSRFToken"]);
$ch = curl_init();
$url = 'https://profile.callofduty.com/do_login?new_SiteId=cod';
$datihfbskdhfibfa = array(
  'username' => 'My@Email.com',
  'password' => 'MyPassword',
  'remember_me' => 'true',
  '_csrf' => $_POST["X-CSRFToken"]
);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $datihfbskdhfibfa);
$server_output = curl_exec($ch);
echo $server_output;
curl_close ($ch);

Before I do the POST request, I receive the X-CSRF from another Php file and pass it through JS to this php File. If I run Python I receive the Token, with Php it throws me a 403 Forbidden back. Can someone explain me why there is an issue?

I_want_french_fries
  • 5
  • 2
  • 2
    Uhm, you are posting to a completely different URL in your PHP code? `https://profile.callofduty.com/do_login?new_SiteId=cod` vs `https://profile.callofduty.com/cod/login` – CBroe Jul 02 '21 at 09:44
  • Sorry a dumb mistake of mine. I was so hopeless, that i changed the url and forgot to change it back. Still a Forbidden error. – I_want_french_fries Jul 02 '21 at 10:18
  • Maybe your token is not actually valid? In your python code, I am assuming you got that via the `s.get('https://profile.callofduty.com/cod/login')` call. Why is it coming from elsewhere in the PHP version now? And since you are using a session mechanism in your python code, I would assume that will send any cookies you might have received with the first request, back with the second one. If so, and that is required for the functionality, then that part would appear to be completely missing from your PHP attempt. – CBroe Jul 02 '21 at 10:20
  • as @CBroe stated, the "other" PHP file you are using, is probably causing a new session on the endpoint. This means that even if you log in and get a CSRF Token, it will be generated for the session open via your "other" PHP file and not via the cURL request. On your Python script this is eliminated because you actually pass the CSRF Token via the same session object (`s.cookies['XSRF-TOKEN']`) – Alcaeus D Jul 02 '21 at 10:22
  • Instead of posting the CSRF token (which is generated through a different session from a different file), try to run a `curl` to your site, extract either the meta info from the header, either the cookie info as you do in your python script ([this might help](https://stackoverflow.com/questions/895786/how-to-get-the-cookies-from-a-php-curl-into-a-variable)) and then without terminating your `curl` model with `curl_close($ch)`, re-run it using the CSRF token you previously extracted. – Alcaeus D Jul 02 '21 at 10:33
  • Ok if I get you right @CBroe and @ Alacaeus I should POST and GET in the same curl session ? If so, how do I do both in one php file ? – I_want_french_fries Jul 02 '21 at 15:28

0 Answers0