logging into twitter with curl

Question

I'm trying to login into twitter with php + curl, but I think there's something wrong with my request because I get this as response:

Something is technically wrong.

Thanks for noticing—we\'re going to fix it up and have things back to normal soon.

The php code I'm using is:

<?php
            $ch = curl_init($sTarget);
            curl_setopt($ch, CURLOPT_HEADER, false);
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $sPost);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
            curl_setopt($ch, CURLOPT_COOKIESESSION, true);
            curl_setopt($ch, CURLOPT_COOKIEJAR, $_CKS);
            curl_setopt($ch, CURLOPT_COOKIEFILE, $_CKS);
            curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
            curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-type: multipart/form-data"));
            curl_setopt($ch, CURLOPT_REFERER, "https://twitter.com");

?>

$sPost looks like this:

session[username_or_email]=user&session[password]=password&remember_me=1&scribe_log=&redirect_after_login=&authenticity_token=6e706165609354bd7a92a99cf94e09140ea86c6f

The code first fetches the login form fields so that the post variables do have the proper values(auth token). I just tried about everything and yes I know there's an api for this but I'd rather find out how to do it manual for learning's sake.

Thanks in advance.

Answer 1

The CURLOPT_COOKIESESSION is used to indicate a new session. That's not what you want, since you need to send the session cookie in the second post.

I got the twitter login to work with this code:

<?php

# First call gets hidden form field authenticity_token
# and session cookie
$ch = curl_init();
$sTarget = "https://twitter.com/";
curl_setopt($ch, CURLOPT_URL, $sTarget);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/cookie.txt");
curl_setopt($ch, CURLOPT_REFERER, "https://twitter.com/");
$html = curl_exec($ch);

# parse authenticity_token out of html response
preg_match('/<input type="hidden" value="([a-zA-Z0-9]*)" name="authenticity_token"\/>/', $html, $match);
$authenticity_token = $match[1];

$username = "[email protected]";
$password = "password";

# set post data
$sPost = "session[username_or_email]=$username&session[password]=$password&return_to_ssl=true&scribe_log=&redirect_after_login=%2F&authenticity_token=$authenticity_token";

# second call is a post and performs login
$sTarget = "https://twitter.com/sessions";
curl_setopt($ch, CURLOPT_URL, $sTarget);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $sPost);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, false);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-type: application/x-www-form-urlencoded"));

# display server response
curl_exec($ch);
curl_close($ch);

?>

PS: Sorry for not reading your post properly the first time.

Answer 2

I noticed two things:

1) Try to URL encode your POST data

such as: session%5Busername_or_email%5D=user&session%5Bpassword%5D=password...

instead of: session[username_or_email]=user&session[password]=password...

2) twitter has a hidden field named authenticity_token in the login form. It is bound to the session. Thus you cannot use a static authenticity_token, you have to read the login form first and use the authenticity_token field from there.

Hope that helps.