I'm trying to simulate a POST to a website based on what I see coming from Live HTTP headers in Firefox.

Here's a copy/paste of the log from the Firefox plugin:

POST /context?tab=login HTTP/1.1
Host: website
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: referer
Cookie: fontsize=2; JSESSIONID=0000pXE_BK7TjZFzEyNHqOKzXz2:-1
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
loginid=password&password=password&login=Login

And the response that follows immediately after the POST:

HTTP/1.1 302 Found
Location: website/context?tab=p00689
Content-Language: en-US
Set-Cookie: JSESSIONID=0000oaKlIeeDRWkX5YCiJu5v1lM:-1; Path=/
Transfer-Encoding: chunked
Date: Mon, 07 Feb 2011 14:15:21 GMT
Server: WebSphere Application Server/6.1
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-cache="set-cookie, set-cookie2"

Based on my testing, a response that redirects to

website/context?tab=p00689

Means that the user was authenticated and everything worked properly.

However, when trying to accomplish this via PHP & cURL, I'm being redirected to a page that informs the user that their session has timed out.

Here's the code:

// Provider only likes Firefox
$agent = "User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13";

ini_set("user_agent", $agent);

// Cookie
$cookie = tempnam("/tmp", "curlcookie");

// Post everything that was posted to me.
$fields = $_POST;

foreach($fields as $key=>$value)
{
        $fields_string .= "$key=$value&";
}

$fields_string = substr($fields_string, 0, strlen($fields_string) - 1);

// Custom headers
$headers = array(
        "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "Accept-Language: en-us,en;q=0.5",
        "Accept-Encoding: gzip,deflate",
        "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7",
        "Keep-Alive: 115",
        "Connection: keep-alive");

// cURL options
$ch = curl_init("website");

curl_setopt($ch, CURLOPT_REFERER, "referer");
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_MAXREDIRS, 1);
curl_setopt($ch, CURLINFO_HEADER_OUT, true);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$output = curl_exec($ch);
$header  = curl_getinfo($ch);

curl_close($ch);

// Debugging junk
echo nl2br($header["request_header"]);
echo "<br/><br/>Output:<br/><br/>$output";

The output from that script is as follows:

POST /context?tab=login HTTP/1.1
User-Agent: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13
Host: website
Pragma: no-cache
Referer: referer
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Length: 46
Content-Type: application/x-www-form-urlencoded

loginid=username&password=password&login=Login

Output:

HTTP/1.1 302
Found
Location:website/context?tab=p00697
Content-Language: en-US Set-Cookie:
JSESSIONID=0000Tl8NL1Hg2dbNv_PEnq-bbvr:-1;
Path=/ Set-Cookie:
JSESSIONID=0000Zue58y1tXg3tt4XjB8exXw6:-1;
Path=/ Transfer-Encoding: chunked
Date: Mon, 07 Feb 2011 19:18:20 GMT
Server: WebSphere Application
Server/6.1 Expires: Thu, 01 Dec 1994
16:00:00 GMT Cache-Control:
no-cache="set-cookie,
set-cookie2"

Based on what I've posted, is there anything obvious that I'm missing? What should I try next? The requests look semantically the same; I'm not sure what I could be doing incorrectly.

The one thing that stands out is the following line of code:

$cookie = tempnam("/tmp", "curlcookie");

Now if this fails to create the file then tempnam would return false, meaning that the following lines of code:

curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);

are as good as not being set at all, you should keep the cookie file within the same directory as the executing script.

the next thing is:

$fields = $_POST;
foreach($fields as $key=>$value)
{
   $fields_string .= "$key=$value&";
}
$fields_string = substr($fields_string, 0, strlen($fields_string) - 1);

You do not need to do this as CURLOPT_POSTFIELDS accepts an array so you should be able to do:

curl_setopt($ch, CURLOPT_POSTFIELDS, $_POST);

This will make sure that the entities are correctly parsed.

I also think you can remove the ini_set as that's for native functions such as file_get_contents and fopen streams etc, so double check the line:

ini_set("user_agent", $agent);

Also I would check to see if there is a cookie already set from the main page, such as index.php as the site may block requests from sources that have come directly to the login page with data.