HTTP/1.1 302 Found Is this normal or in trouble?

Asked

Viewed 9,369 times

0

I’m trying the following return on my code PHP, that even with these topics helped me a lot: First, According to

C: wamp64 www test index.php:61:string 'HTTP/1.1 302 Found cache-control: no-cache, max-age=300 content-length: 157 content-security-policy: default-src 'None'; connect-src 'self'; font-src https://abs.twimg.com https://abs-0.twimg.com data:; frame-src'self 'twitter:; frame-ancestors'self' https://tweetdeck.twitter.com https://tdapi-staging.smf1.twitter.com https://tdapi-staging.atla.twitter.com https://tweetdeck.localhost.twitter.com; img-src https://abs.twimg.com https:/*.twimg.com https://pbs.twimg.com date:; media-src 'None'; Object-src'... (length=116072)

My PHP code:

<?php

$cookie = [];

$index_url = 'https://twitter.com';

$token = curl_init();
curl_setopt_array($token, [
      CURLOPT_URL             => $index_url,
      CURLOPT_CUSTOMREQUEST   => 'GET',
      CURLOPT_RETURNTRANSFER  => true,
      CURLOPT_SSL_VERIFYPEER  => false,
      CURLOPT_SSL_VERIFYHOST  => false,
      CURLOPT_USERAGENT       => $_SERVER['HTTP_USER_AGENT'],
      CURLOPT_REFERER         => $index_url,
      CURLOPT_HEADER          => TRUE,
      CURLOPT_HEADERFUNCTION  => function($curl, $header) use (&$cookie){
          if(stripos($header, 'Set-Cookie:') === 0){
              if(preg_match('/Set-Cookie:\s?(.*?);/i', $header, $matches)) {
                  // $cookie .= $matches[1] . '; ';
                  $cookie[] = $matches[1];
              }
          }
          //var_dump($header);
          return strlen($header);
      }
    ]
);    
$access = curl_exec($token);

preg_match('/value="(.*?)" name="authenticity_token"/', $access, $matches);

$authenticity_token = $matches[1];

//how to use cookie array
//$cookie[0];

$username = 'jhonesstevan';
$password = 'laranjao1020';

$session_post = "session[username_or_email]=$username&session[password]=$password&return_to_ssl=true&scribe_log=&redirect_after_login=%2F&authenticity_token=$authenticity_token";

$session_url = 'https://twitter.com/sessions';

curl_setopt_array($token, [
      CURLOPT_URL             => $session_url,
      CURLOPT_CUSTOMREQUEST   => 'POST',
      CURLOPT_POSTFIELDS      => $session_post,
      CURLOPT_RETURNTRANSFER  => true,
      CURLOPT_HTTPHEADER      => [
        "Content-type: application/x-www-form-urlencoded"
      ],
      CURLOPT_USERAGENT       => $_SERVER['HTTP_USER_AGENT'],
      CURLOPT_HEADER          => TRUE,
      CURLOPT_FOLLOWLOCATION  => 1,
  ]

);
$auth = curl_exec($token);

var_dump($auth);
  • PS: Account fake.

1 answer

1


It is normal, it only indicates that the page was "moved" and the Location: will indicate where the user should go.


This Wikipedia post about HTTP codes is enough to answer:

3xx Redirection

302 Found

This is an example of good industrial practice contradicting the norm. HTTP/1.0 specification (RFC 1945) required the client to run a temporary redirect (what describes original phrase was "Moved Temporarily"), but popular browsers run 302 with the functionality of a 303 Consult Others. Therefore, added HTTP/1.1 status codes 303 and 307 to distinguish between the two behaviors. However, most web applications and frameworks still use the status code 302 as if it were the 303.

Source


Curl by default will not follow redirects, this is somewhat unsafe practice, even with Curl default limitations.

To enable redirects (follow the header of Location:):

curl_setopt_array($token, [
     //...
     CURLOPT_FOLLOWLOCATION => true
]

To set the redirect limit you can use the CURLOPT_MAXREDIRS, where the 10 is the limit set by me, if -1 will be unlimited:

CURLOPT_MAXREDIRS => 10

To define which protocols can be used, for example HTTPand HTTPS:

CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS

To use the same method for redirecting use the command below, so if you do a POST it (and the content sent) will be sent to the redirected location:

CURLOPT_POSTREDIR => 2

If you want Curl to update referer based on the Location may also use:

CURLOPT_AUTOREFERER => 1

Using the CURLOPT_HEADER => TRUE you will get all the headers, of all the requests made, this may explain why:

HTTP/1.1 302 Found
//...

HTTP/1.1 200 Ok
//...

This indicates that the first request returned 302 and the second 200, for example. Logically it may occur to be 302 -> 404, or 302 -> 403.

Also if you want to get the URL of the last request made, you can also use the command:

echo curl_getinfo($token, CURLINFO_EFFECTIVE_URL);

If you want to get the last HTTP you can also use:

echo curl_getinfo($token, CURLINFO_HTTP_CODE);

By default Curl does not allow redirects to the protocol file and SCP in version 7.19.4 and in version 7.40.0 the SMB and SMBS are also not followed. But all the rest is followed, including the gopher, stmp, ftp, what may be a potential risk, But I don’t think that’s the point.

  • Opa, thanks, I’m reading the documentation on crl, should inform there, I did what you put in the reply, and still 302, but I read some articles and is normal.

  • 1

    They report this clearly, -L, --location: If the server reports that the requested page has moved to a different location (indicated with a Location: header and a 3XX response code), this option will make curl redo the request on the new place., in https://curl.haxx.se/docs/manpage.html. Use the FOLLOWLOCATION will allow it to follow the path, as documented. For this to occur you need to have the Location: and may it be 3XX.

  • Ta precise define --max-redirs <num> for -1 and I couldn’t find the CURL that does this.

  • This is equivalent to CURLOPT_MAXREDIRS and is optional.

  • yes but makes it unlimited as it says in the documentation, I just wanted to remove this message and leave 200 OK but it’s hard

  • I edited to add more details, I believe that now has all the commands regarding redirecting, although not necessarily will fix the problem.

  • Done: returned to me https://twitter.com/login/error?username_or_email=jhonesstevan&redirect_after_login=%2F

  • So he followed the redirect normally, after all you made the request to https://twitter.com/sessions. This then is not the problem. Maybe the problem is because you did not set the cookies obtained in the old request, but this is another issue.

  • yes code is 200 echo curl_getinfo($token, CURLINFO_HTTP_CODE); OK now :D

  • But I don’t get all the cookies from Twitter, because it will be?

Show 6 more comments

Browser other questions tagged

You are not signed in. Login or sign up in order to post.