PHP CURL: problems signing in to Hotmail

I've killed lots of time on this and now I am running out of debugging options. If anyone has encountered this problem before or even simply has a slight idea of what can be going wrong, please let me know.

First of all, I use CURL to visit this page http://login.live.com/login.srf?id=2&vv=400&lc=1033 I parse out all hidden and not hidden fields, attach login/pass, urlencode everythiong and then submit this data to the page which the sign in form points to. Then I try to find the "email/pass are wrong" error and if not, I assume that it signed in successfully. Here's the flow that takes place after this. The first entry is the response of "sign in" page (when I post all data to it).

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 571
Content-Type: text/html; charset=utf-8
Expires: Fri, 08 Jul 2011 09:52:05 GMT
Server: Microsoft-IIS/7.5
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
X-XSS-Protection: 0
Set-Cookie: MSPOK= ; expires=Thu, 30-Oct-1980 16:00:00 GMT;domain=login.live.com;path=/;HTTPOnly= ;version=1
Set-Cookie: PPAuth=...cookie goes here...; domain=login.live.com;secure= ;path=/;HTTPOnly= ;version=1
Set-Cookie: PPLState=1; domain=.live.com;path=/;version=1
Set-Cookie: MSPShared=1; expires=Wed, 30-Dec-2037 16:00:00 GMT;domain=login.live.com;path=/;HTTPOnly= ;version=1
Set-Cookie: MSPPre= ;domain=login.live.com;path=/;Expires=Thu, 30-Oct-1980 16:00:00 GMT
Set-Cookie: MSPCID= ; HTTPOnly= ; domain=login.live.com;path=/;Expires=Thu, 30-Oct-1980 16:00:00 GMT
Set-Cookie: RPSTAuth=...cookie goes here...; domain=.live.com;path=/;HTTPOnly= ;version=1
Set-Cookie: RPSTAuthTime=1310118785; domain=login.live.com;path=/;HTTPOnly= ;version=1
Set-Cookie: MSPAuth=...cookie goes here...; domain=.live.com;path=/;HTTPOnly= ;version=1
Set-Cookie: MSPProf=...cookie goes here...; domain=.live.com;path=/;HTTPOnly= ;version=1
Set-Cookie: MSNPPAuth=...cookie goes here...; domain=.live.com;path=/;HTTPOnly= ;version=1
Set-Cookie: MH=MSFT; domain=.live.com;path=/;version=1
Set-Cookie: MHW=; expires=Thu, 30-Oct-1980 16:00:00 GMT;domain=.live.com;path=/;version=1
Set-Cookie: MHList=; expires=Thu, 30-Oct-1980 16:00:00 GMT;domain=.live.com;path=/;version=1
Set-Cookie: NAP=V=1.9&E=b13&C=0G_duhr_tQKqjDgf383QrDgK2gMYHsFPE_oAbIgZoDUzSr3M7_FXfw&W=1;domain=.live.com;path=/
Set-Cookie: ANON=A=A84CB86...FFFFFFF&E=b6d&W=1;domain=.live.com;path=/
Set-Cookie: MSPVis=$2$9;domain=login.live.com;path=/
Set-Cookie: pres=; expires=Thu, 30-Oct-1980 16:00:00 GMT;domain=.live.com;path=/;version=1
Set-Cookie: LOpt=0; domain=login.live.com;path=/;version=1
Set-Cookie: WLSSC=...cookie goes here...; domain=.live.com;secure= ;path=/;HTTPOnly= ;version=1
Set-Cookie: MSPSoftVis=@72...20@:@; domain=login.live.com;path=/;version=1
PPServer: PPV: 30 H: BAYIDSLGN1M36 V: 0
Date: Fri, 08 Jul 2011 09:53:04 GMT
Connection: close

<html><head><script type="text/javascript">function rd(){window.location.replace("http://www.hotmail.msn.com/cgi-bin/sbox?t=...&p=...&mkt=EN-US&lc=1033&id=2");}function OnBack(){}</script></head><body onload="javascript:rd();"></body></html></textarea>!!!<textarea>HTTP/1.1 301 Moved Permanently
Content-Length: 546
Content-Type: text/html
Location: http://www.hotmail.msn.com/cgi%2Dbin/sbox/?t=...&p=...&mkt=EN-US&lc=1033&id=2
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
xxn: 49
Date: Fri, 08 Jul 2011 09:53:04 GMT

HTTP/1.1 301 Moved Permanently
Date: Fri, 08 Jul 2011 09:53:05 GMT
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
xxn: 16
MSNSERVER: H: DUB102-w16 V: 16.0.1677.630 D: 2011-06-30T23:31:34
Location: http://mail.live.com/default.aspx
Set-Cookie: KVC=...cookie goes here...; domain=.mail.live.com; path=/
Set-Cookie: xid=...cookie goes here...; domain=.msn.com; path=/
Set-Cookie: xidseq=1; domain=.msn.com; path=/
Set-Cookie: LD=; domain=.msn.com; expires=Fri, 08-Jul-2011 08:13:05 GMT; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 150

***[according to the normal browser flow, here I should be redirected to the normal hotmail homepage]***

HTTP/1.1 302 Found
Date: Fri, 08 Jul 2011 09:53:05 GMT
Server: Microsoft-IIS/6.0
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
xxn: 34
MSNSERVER: H: DUB103-w34 V: 16.0.1677.630 D: 2011-06-30T23:31:34
Location: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1310118785&rver=6.1.6206.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx%3Frru%3Dinbox&lc=1033&id=...&mkt=en-US&cbcxt=mai&snsc=1
Set-Cookie: KSC=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
Set-Cookie: kr=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
Set-Cookie: bsc=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
Set-Cookie: rru=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
Set-Cookie: prc=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
Set-Cookie: mt=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
Set-Cookie: KVC=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
Set-Cookie: DWN=; domain=.mail.live.com; expires=Thu, 01-Jan-1970 12:00:01 GMT; path=/
Cache-Control: no-cache, no-store
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 354

HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 210
Content-Type: text/html; charset=utf-8
Expires: Fri, 08 Jul 2011 09:52:06 GMT
Server: Microsoft-IIS/7.5
P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
X-XSS-Protection: 0
Set-Cookie: MSPRequ=lt=...&id=...&co=1; path=/;version=1
Set-Cookie: MSPSoftVis=@721...620@:@; domain=login.live.com;path=/;version=1
PPServer: PPV: 30 H: BAYIDSLGN1M44 V: 0
Date: Fri, 08 Jul 2011 09:53:06 GMT
Connection: close

<html><head><script type="text/javascript">function rd(){window.location.replace("http://mail.live.com/default.aspx?rru=inbox");}function OnBack(){}</script></head><body onload="javascript:rd();"></body></html>


***[from now on if I go to default.aspx?rru=inbox, it will redirect me to the previous login.live.com which will again redirect me to this default.aspx and so on in an endless loop]***

Somehow hotmail manages to enter endless loop and I didn't manage to figure out why. All the cookies are saved in a txt file and did make sure that CURL in fact writes to it. I even tried examining it step by step and I think I found out that KVC cookies doesn't get saved. However when I manually parsed it out of headers and inserted into the CURL cookie file, that didn't change anything: I still got this erroneous flow.

Chances are the site uses an CSRF token to prevent you from doing that. Instead of trying to emulate a login via the website and then scraping the contacts from the Hotmail page use the Messenger Connect REST API. It supports reading Contact objects from Hotmail.

To get a collection of Contact objects by using the Messenger Connect REST API, make a GET request with the following parameters.

https://apis.live.net/v5.0/me/contacts?access_token=yourApiKey

This will return all Contacts in JSON format, which you can easily parse with json_decode, e.g. do

$contacts = json_decode(
    file_get_contents(
        'https://apis.live.net/v5.0/me/contacts?access_token=yourApiKey'
    )
);