How can I login to WordPress and use cookie after that

General
1

Hello,

I need to login to a wordpress page, collect some data, then logout.

The data is not available without login so first I need to submit the login page

I checked login page via developer tools and found this posted on the login form:

log: user
pwd: xxxx
rememberme: forever
wp-submit: Log In
redirect_to: https://my.wpsite.com/wp-admin/
testcookie: 1

also there is a cookie set like this:
wordpress_test_cookie=WP%20Cookie%20check

I wrote this code before the HTTP POST request:

msg.payload = {};
msg.payload = {
    "log":"user",
    "pwd":"xxx",
    "rememberme":"forever",
    "wp-submit":"Log In",
    "redirect_to":"https://my.wpsite.com/wp-admin/",
    "testcookie":"1"
}
msg.headers = msg.headers || {};
msg.headers["set-cookie"] = [];
msg.headers["set-cookie"] = [
        "wordpress_test_cookie=WP%20Cookie%20check",
        "wp_lang=en_US"];
return msg;

Unfortunately site returns "You have to enter a username first". This probably means that I cannot post the form successfully.

The form is like this:

<form name="loginform" id="loginform" action="https://my.wpsite.com/wp-login.php" method="post">
			<p>
				<label for="user_login">Username or Email Address</label>
				<input type="text" name="log" id="user_login" class="input" value="" size="20" autocapitalize="off" autocomplete="username" required="required">
			</p>

			<div class="user-pass-wrap">
				<label for="user_pass">My Password:</label>
				<div class="wp-pwd">
					<div class="user-pass-fields"><input type="password" name="pwd" id="user_pass" class="input password-input" value="" size="20" autocomplete="current-password" spellcheck="false" required="required"><div class="loginpress-caps-lock">Caps Lock is on</div></div>
					<button type="button" class="button button-secondary wp-hide-pw hide-if-no-js" data-toggle="0" aria-label="Show password">
						<span class="dashicons dashicons-visibility" aria-hidden="true"></span>
					</button>
				</div>
			</div>
						<p class="forgetmenot"><input name="rememberme" type="checkbox" id="rememberme" value="forever"> <label for="rememberme">Remember Me</label></p>
			<p class="submit">
				<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Log In">
									<input type="hidden" name="redirect_to" value="https://my.wpsite.com/wp-admin/">
									<input type="hidden" name="testcookie" value="1">
			</p>
		</form>

Do you have any idea how I can login and get the cookie stored there for further http requests?

PS: I can post to the site with this command:

curl -d "log=user&pwd=xxxx&rememberme=forever&wp-submit=Log+In" -c cookies.txt https://my.wpsite.com/wp-login.php

and I can see the login cookie in the cookies.txt file.

2

There are a couple of things you need to correct.

set-cookie is not valid for a request (its a response header)
you need to use application/x-www-form-urlencoded as the content type.

So with that said.

msg.payload = {
    'log': 'user',
    'pwd': 'xxx',
    'rememberme': 'forever',
    'wp-submit': 'Log In',
    'redirect_to': 'https://my.wpsite.com/wp-admin/',
    'testcookie': '1'
};
msg.cookies = {
    'wordpress_test_cookie': 'WP%20Cookie%20check',
    'wp_lang': 'en_US'
};
msg.headers = {
    'content-type': 'application/x-www-form-urlencoded'
};
msg.method = 'POST'
return msg;
1 Like
3

Thanks, I believe it did the trick, though now I need to read the cookies for the next step.

It is logging in and redirects to main page ( which is ok ). The payload has the HTML data which I don't really need right now.

When I checked the complete msg, headers itself or headers["set-cookies"] doesn't have the cookies.

Though I saw a redirectList array under msg which had a cookies object under the first item:

"redirectList": 
[
  {
    "location":"https://my.wpsite.com",
    "cookies":{
      "wordpress_test_cookie":{"path":"/","value":"WP Cookie check"},
      "wordpress_sec_23aec67389bb93125a3fe834fcccb067":{"expires":"Sat, 11-Jan-2025 00:38:15 GMT","Max-Age":"1252800","path":"/wp-admin","value":"user|1736512695|vrYGcq7grlkMSgJJUSw7sJuNdV5qvW9mlMkmajTexyW|8525395632631b9970327a30bfb3f929025d32009a3c738e5e3c6e292cb5a58b"},
      "wordpress_logged_in_23aec67389bb93125a3fe834fcccb067":{"expires":"Sat, 11-Jan-2025 00:38:15 GMT","Max-Age":"1252800","path":"/","value":"user|1736512695|vrYGcq7grlkMSgJJUSw7sJuNdV5qvW9mlMkmajTexyW|1593885f68668753c9878b2a918cedd760260d36bc493b955879301f8225ef80"}
    }
  }
]

These are what I need. How can I use these cookies for another GET request? I tried to read them from msg object and assign to msg.cookies again but failed to do that.

PS. Also I saw the cookies in these array are objects ( array of "key":object ) . I believe we need to convert them to string list, with "key":"value" pairs. Is that correct?

4

If you want these cookies (after logon in)
you will store them (for future requests)

const redirect = msg.redirectList.find((c) => c.location === 'https://my.wpsite.com')
if(redirect) {
    flow.set('cookies', redirect.cookies)
}

Then future calls, can do

msg.cookies = flow.get('cookies')

Screenshot 2024-12-30 at 08.55.11
Screenshot 2024-12-30 at 08.55.11445Ă—107 9.57 KB

So whilst most of the extra bits will be ignored - the critical value will be in there