问题
I am logging in remotely to a website using cURL and everything is working fine. I am posting the login information, retrieving the cookies and being redirected by the remote site. I have a few questions about how the cookies are actually functioning.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://website' );
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_str);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/php/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/php/cookies.txt');
$result = curl_exec($ch);
$x = curl_getinfo($ch);
print_r($x);
1.) Is there some security issues I need to be concerned about by sending the login information via POST?
2.) When I set the curlopt_cookiejar to /php/cookies.txt, I don't actually see that file saved anywhere. This may be due to permissions, but the login is working anyways. Why would that be the case? What would be the correct permissions to allow this file to be written to and saved?
3.) Is storing the cookiejar file in plaintext safe? What is the best location to save this file?
4.) If this script is used regularly by multiple users, what is preventing the correct cookie information located in cookies.txt that is sent back to the server using curlopt_cookiefile from being mixed up by other cookies that have been written in this file? What is the best way to approach cookies that expire, and removing old cookies from this file?
This is obviously a very important function of cURL, but I can't seem to find these answers anywhere. I'm hoping a cURL master can set these questions straight once and for all to see.
回答1:
1) No
2)
2.0) It's writing to /php - that is, off the root filesystem, in a folder php. Did you check there?
2.1) The cookiejar would only be used for subsequent requests that do NOT post the login information. At this point, I'm wondering what it is you're using the cookiejar for...are you certain you even need these cookies? They (shouldn't) get sent to the third-party site you got redirected to, so what are they doing?
2.2) The user running PHP (usually the web server) will need write permissions to this file.
3) As long as you put the cookiejar somewhere on your filesystem that others can't get arbitrary access to, you should be fine - for example, you probably want to put it somewhere outside the webroot.
4) If this script is used regularly by multiple users, you'll almost CERTAINLY get a mix of all different kind of data in that file - which indicates that you should probably be giving each user their own cookiejar file, or something...since the location is just set via a PHP string, you shouldn't have too much trouble figuring out how to make it dynamic. CURL will take care of not writing expired cookies to the jar during subsequent requests and responses.
来源:https://stackoverflow.com/questions/4126374/using-cookies-with-curl