Search code examples
httpcurl

Authentication fails with curl, works in browser


I am using a HTML login form to access an application. This works in a browser but when I try to replicate using curl, I get "Authentication failed, bad username/password". I only have limited access to the serverside (but the logs don't contain any additional information other than message previously quoted).

Using a browser:

There are 2 fields on the form, username and password along with a submit button. In web developer tools, after submitting the request, under Request/payload, I only see the 2 values.

The ENCODED string reported in developer tools is 58 characters long.

The request header field reports a content-length value of 57 bytes.

Using Curl:

Using this command to replicate the browser request including the non-dynamic request headers, authentication fails.

curl -v -d "username=$USER" -d "password=$PASS" \
       "https://example.com/app/j_spring_security_check" \
       --header @extraheadersfile \
       --cookie-jar "cookiefile"

what's different?

The only difference I can see between the Browser and Curl requests (other than the date and cookie values) is that the curl request header reports a content-length of 55 bytes.

(http protocol, method, user agent, accept-* all match)

The values for username and password are input correctly in both cases.

I suspect that the issue is with the POST payload / there may be some difference in how the data is being encoded, but I can't see where the 57 bytes is coming from (curl Content-length: 55 / browser Content-length: 57 / browser payload, url-encoded is 58 characters).


Solution

  • Usually, when dealing with cookies, you need to enable writing and reading at the same time in the same file.

    You can fix your code like this:

    curl --cookie-jar "cookiefile" --cookie "cookiefile" .......
    

    or

    curl -b "cookiefile" -c "cookiefile" .......