I’m building a login system in php where I need to use credentials from another website, I’m using an API to login to another server and I’m doing it using cURL. The server where the login credentials are stored does create a cookie with a unique tolken after the user has logged in correctly and this cookie is important to view other webpages and interrogate this pages using other APIs.
This is what I’ve done so far and it seems to work fine, in the login controller php file I’ve got this code
$km_username = filter_var($_POST['userName'], FILTER_SANITIZE_STRING);
$km_user_password = $_POST['userPassword'];
$cookieFile = "cookies.txt";
if(!file_exists($cookieFile)) {
$fh = fopen($cookieFile, "w");
fwrite($fh, "");
fclose($fh);
}
$url = 'https://www.apiwebsite.com/api/login.jsp?';
$fields = array(
'userid' => $km_username,
'password' => $km_user_password
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($fields));
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieFile); // Cookie aware
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieFile); // Cookie aware
$content = curl_exec($ch);
curl_close($ch);
In the page where I want to interrogate the server to get other datas I’ve got
$dates = array(
'd_inizio' => '01/01/2017',
'd_fine' => '31/12/2017'
);
$url = "https://www.apiwebsite.com/api/ricevute.jsp?";
$cookie = "../../km-controllers/cookies.txt";
$ch = curl_init ($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($dates));
curl_setopt ($ch, CURLOPT_COOKIEFILE, $cookie);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec ($ch);
So basically after user has logged into the website cURL saves a cookie txt file into my server and this allows me to use that file any other time i want to make another call using for example a different api
Now the question is: what happen if I’ve got more than one user logging into the system? Do I need to create x number of cookies according on how many users log into the system? Would it not be simpler to save the cookie into the user’s browser?
Yes, you should use a different file for each client. What you can do is use tempnam() to generate a unique filename for the client, and save this in a session variable, then use it as the cookie jar. The login controller can do this:
session_start();
if (!isset($_SESSION['cookiefile'])) {
$cookiefile = tempnam(".", "cookie");
$_SESSION['cookiefile'] = basename($cookiefile);
}
And then the later page can use
$cookie = "../../km-controllers/" . $_SESSION['cookiefile'];
When the user logs out, you should delete this file and remove the session variable.
There's nothing that will automatically pass the cookies through from the curl session to the client browser or vice versa. If you don't want to save the cookies in a file, you can use curl_getinfo($ch, CURLINFO_COOKIELIST) to get the cookies, but you'll then have to parse the info yourself, and later use CURLOPT_COOKIE to set each cookie when making future calls. The cookie file automates all this.
Full code for login controller.
session_start(); // This needs to be at the very beginning of your script, before anything that produces output
//...
$km_username = filter_var($_POST['userName'], FILTER_SANITIZE_STRING);
$km_user_password = $_POST['userPassword'];
if (!isset($_SESSION['cookiefile'])) {
$cookieFile = tempnam(".", "cookie");
$_SESSION['cookiefile'] = basename($cookiefile);
file_put_contents($cookieFile, "");
}
$cookieFile = $_SESSION['cookiefile'];
$url = 'https://www.apiwebsite.com/api/login.jsp?';
$fields = array(
'userid' => $km_username,
'password' => $km_user_password
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($fields));
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookieFile); // Cookie aware
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookieFile); // Cookie aware
$content = curl_exec($ch);
curl_close($ch);
And the later interrogator:
session_start(); // at very beginning
// ...
$dates = array(
'd_inizio' => '01/01/2017',
'd_fine' => '31/12/2017'
);
$url = "https://www.apiwebsite.com/api/ricevute.jsp?";
if (!isset($_SESSION['cookiefile'])) {
die("no cookie file");
}
$cookie = "../../km-controllers/" . $_SESSION['cookiefile'];
$ch = curl_init ($url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($dates));
curl_setopt ($ch, CURLOPT_COOKIEFILE, $cookie);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec ($ch);
Related
I was wondering if you could help me out with a bit of code for a cCURL request using PHP, I'm trying to retrieve data from the fpl api that would show my league standings. The url for the league standings api is - https://fantasy.premierleague.com/api/leagues-classic/my_league_id/standings/?page_new_entries=1&page_standings=1 I can see the data via the browser but when I try to retrieve it with a curl request with PHP it comes back with a 403 error with the message "Authentication credentials were not provided". That would mean that I would need login credentials to retrieve it.
After looking into it using dev tools and postman, I now know that I need to get a csrf token by logging in then save the token to use when I make the request for the league standings. I have no idea how to go about this, I kind of do but I would really appreciate if someone could give it a go for me.
What I would need to do is make a POST request to https://users.premierleague.com/accounts/login/ with this form data -
"login" => "my_email",
"password" => "my_password",
"app" => "plfpl-web",
"redirect_uri" => "https://fantasy.premierleague.com/",
After making the request I would need to capture the csrf token cookie, which I believe would be in the hidden input with the name - "csrfmiddlewaretoken" and save it in a variable.
Once getting the token and saving it, I would then make a GET request to https://fantasy.premierleague.com/api/leagues-classic/my_league_id/standings/ with placing the csrf token variable that I saved into the headers and then json decode that data so I'm able to echo out the league details.
I'm pretty sure that's how to do it but I'm not that great at PHP and was wondering if there is any savour out there that could help a brother out. Any help would be much appreciated :)
I've started with the first part, making the initial post request, but have had no luck in returning the token. Here's my code so far -
<?php
$cookie = "cookies.txt";
$url = 'https://users.premierleague.com/accounts/login/';
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
$response = curl_exec($ch);
curl_close($ch);
// var_dump($response);
$dom = new DOMDocument;
#$dom->loadHTML($response);
$tags = $dom->getElementsByTagName('input');
for($i = 0; $i < $tags->length; $i++) {
$grab = $tags->item($i);
if($grab->getAttribute('name') === 'csrfmiddlewaretoken') {
$token = $grab->getAttribute('value');
}
}
echo $token;
?>
<?php
// id of the league to show
$league_id = "your_league_id";
// set the relative path to your txt file to store the csrf token
$cookie_file = realpath('your_folder_dir_to_the_txt_file/cookie.txt');
// login url
$url = 'https://users.premierleague.com/accounts/login/';
// make a get request to the official fantasy league login page first, before we log in, to grab the csrf token from the hidden input that has the name of csrfmiddlewaretoken
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt ($ch, CURLOPT_COOKIEJAR, $cookie_file);
curl_setopt ($ch, CURLOPT_COOKIEFILE, $cookie_file);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
$dom = new DOMDocument;
#$dom->loadHTML($response);
// set the csrf here
$tags = $dom->getElementsByTagName('input');
for($i = 0; $i < $tags->length; $i++) {
$grab = $tags->item($i);
if($grab->getAttribute('name') === 'csrfmiddlewaretoken') {
$token = $grab->getAttribute('value');
}
}
// now that we have the token, use our login details to make a POST request to log in along with the essential data form header fields
if(!empty($token)) {
$params = array(
"csrfmiddlewaretoken" => $token,
"login" => "your_email_address",
"password" => "your_password",
"app" => "plfpl-web",
"redirect_uri" => "https://fantasy.premierleague.com/",
);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
/**
* using CURLOPT_SSL_VERIFYPEER below is only for testing on a local server, make sure to remove this before uploading to a live server as it can be a security risk.
* If you're having trouble with the code after removing this, look at the link that #Dharman provided in the comment section.
*/
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
//***********************************************^
$response = curl_exec($ch);
// set the header field for the token for our final request
$headers = array(
'csrftoken ' . $token,
);
}
// finally, we now have everything we need to make the GET request to retrieve the league standings data. Enjoy :)
$fplUrl = 'https://fantasy.premierleague.com/api/leagues-classic/' . $league_id . '/standings/';
curl_setopt($ch, CURLOPT_URL, $fplUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
if(!empty($token)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
}
$response = curl_exec($ch);
$league_data = json_decode($response, true);
curl_close($ch);
echo '<pre class="card">';
print_r($league_data);
echo '</pre>';
?>
I need to get response from server using curl, but I can't.
The site: https://www.investing.com/holiday-calendar/
I can get that calendar using get request, but I need a list with custom dates. That mean I should use that datepicker. So when I press "apply" it sent post request with data I needed to get. (see the screenshots)
The DatePicker:
A post request with JSON response:
Code:
ini_set('error_reporting', E_ALL);
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
define('DIR', __DIR__);
$user_agent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'Traider';
$cookie = dirname(__FILE__).DIRECTORY_SEPARATOR.'init_cookie.txt';
$f = fopen('init_deb.txt', 'w');
$ch = curl_init();
$getUrl = 'https://www.investing.com/holiday-calendar/';
$postUrl = 'https://www.investing.com/holiday-calendar/Service/getCalendarFilteredData';
$dateFrom='2017-01-14';
$dateTo='2017-12-31';
$limit_from = 0;
$params = [
'dateFrom' => $dateFrom,
'dateTo' => $dateTo,
'county' => '',
'limit_from' => $limit_from
];
curl_setopt($ch, CURLOPT_URL, $postUrl);
curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_STDERR, $f);
$response = curl_exec($ch);
fclose($f);
curl_close($ch);
echo $response;
Step 1. I sent a get request, save cookies.
Step 2. I sent a post request changing $getUrl -> $postUrl. I always get the main page. Why I can't get JSON response?
after a bit of testing, the big secret is that they refuse requests that dont have the X-Requested-With:XMLHttpRequest header attached. attach that (using CURLOPT_HTTPHEADER), and you dont even need a cookie session. i guess its part of some XSS protection scheme.
working example code using hhb_curl from https://github.com/divinity76/hhb_.inc.php/blob/master/hhb_.inc.php :
<?php
declare(strict_types=1);
require_once('hhb_.inc.php');
$hc=new hhb_curl();
$hc->_setComfortableOptions();
$hc->setopt_array(array(
CURLOPT_POST=>true,
CURLOPT_POSTFIELDS=>http_build_query(array(
'dateFrom'=>'2017-01-28',
'dateTo'=>'2017-01-28',
'country'=>'',
'limit_from'=>'0'
)),
CURLOPT_HTTPHEADER=>array(
'X-Requested-With:XMLHttpRequest'
)
));
$hc->exec('https://www.investing.com/holiday-calendar/Service/getCalendarFilteredData');
hhb_var_dump($hc->getResponseBody());
I'm trying to login to one of my sites using curl to pull information off the page. It does not seem to be working. Here's the code I'm trying. If it helps I can create a user/pass for just this scenario.
<?php
$username = 'xxx';
$password = 'xxx';
$loginUrl = 'http://gwintersdev.com/user';
$finalUrl = 'http://gwintersdev.com/admin';
$userinput = 'name';
$passwordinput = 'pass';
$ch = curl_init();
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt($ch, CURLOPT_URL,$loginUrl);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "$userinput=$username&$passwordinput=$password");
curl_setopt($ch, CURLOPT_USERAGENT, 'user-agent');
ob_start(); // prevent any output
curl_exec ($ch); // execute the curl command
ob_end_clean(); // stop preventing output
curl_close ($ch);
unset($ch);
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt");
curl_setopt($ch, CURLOPT_URL, $finalUrl);
$buf2 = curl_exec ($ch);
curl_close ($ch);
print $buf2;
?>
Update: I was able to get the above working, but I'm trying this on a different ASP site and it's not working. I grabbed all the hidden fields and added them to the post string, but it still won't login.
<?php
$username = 'xxx';
$password = 'xxx';
$loginUrl = 'http://vitalstim.com/health_professionals/certified_provider_resources/forum.aspx';
$finalUrl = 'http://vitalstim.com/health_professionals/certified_provider_resources/forum.aspx';
$userinput = 'ctl00$ContentPlaceHolder1$uc_login$txtUser';
$passwordinput = 'ctl00$ContentPlaceHolder1$uc_login$txtPass';
$login = 'ctl00$ContentPlaceHolder1$uc_login$butLogin';
$validation_input = '__EVENTVALIDATION';
$validation_input_value = '/wEWAgKf+PTrBQKItpn5BDXHCHsANbEpwkEBmMyNv+32L2Ec';
$view_state = '/wEPDwUJLTQyMjg0NzI0D2QWAmYPZBYGAgEPZBYEAgYPFgIeB1Zpc2libGVoZAIHDxYCHwBoZAIDD2QWBAIBD2QWCAIBD2QWBAIBDw8WAh4EVGV4dGVkZAIFDw8WAh8AaGRkAgcPZBYCAgEPZBYCAgMPZBYCAgEPFgIfAGhkAgkPDxYCHwBoZGQCCw8PFgIfAGhkZAIDDxYCHwBoZAIFDw8WAh8BBXY8c2NyaXB0IGxhbmd1YWdlPSJqYXZhc2NyaXB0IiB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgokKGRvY3VtZW50KS5yZWFkeShmdW5jdGlvbigpIHsKVml0YWxTdGltLkluaXQoNCk7Cn0pOwo8L3NjcmlwdD4KZGRkdz/7+FcQ1E1sbC0Gua3jJsCGSnM=';
$event_valid = '/wEWBwKeiM4xAoi2mfkEAurz/r4MAvTX0jYC+4GopQkCo6iimggC2pO41g77y84VwyhP6Ek+7PGZYDNgOawRZw==';
$ch = curl_init();
curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
curl_setopt($ch, CURLOPT_URL, $loginUrl);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "$userinput=$username&$passwordinput=$password&$validation_input=$validation_input_value&$login=login&__EVENTVALIDATION=$event_valid&_VIEWSTATE=$view_state");
curl_setopt($ch, CURLOPT_USERAGENT, 'user-agent');
curl_exec ($ch); // execute the curl command
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt");
curl_setopt($ch, CURLOPT_URL, $finalUrl);
$buf2 = curl_exec ($ch);
curl_close ($ch);
print $buf2;
?>
It looks like you are missing two hidden fields that are in the source of that form. CSRF protection kinda. You can try scrapeing that, by doing a third request, before the other two, and getting those values, and putting them in the second request.
Also, like i said in my comment above, dont close your curl handler.
Any more info you can give would be awesome
EDIT:
As for the ASP page: asp is terribly difficult to curl this with. It could easily be hiding fields that you need. My suggestion would be to create a fake page, that print_r's $_POST and $_GET, and change the action of the form on their page with chrome, or firebug, to submit to your page. Just to check if you are missing anything
I did what i suggested to try, and i got this:
Array
(
[__EVENTTARGET] =>
[__EVENTARGUMENT] =>
[__VIEWSTATE] => /wEPDwUJLTQyMjg0NzI0D2QWAmYPZBYGAgEPZBYEAgYPFgIeB1Zpc2libGVoZAIHDxYCHwBoZAIDD2QWBAIBD2QWCAIBD2QWBAIBDw8WAh4EVGV4dGVkZAIFDw8WAh8AaGRkAgcPZBYCAgEPZBYCAgMPZBYCAgEPFgIfAGhkAgkPDxYCHwBoZGQCCw8PFgIfAGhkZAIDDxYCHwBoZAIFDw8WAh8BBXY8c2NyaXB0IGxhbmd1YWdlPSJqYXZhc2NyaXB0IiB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgokKGRvY3VtZW50KS5yZWFkeShmdW5jdGlvbigpIHsKVml0YWxTdGltLkluaXQoNCk7Cn0pOwo8L3NjcmlwdD4KZGRkdz/7+FcQ1E1sbC0Gua3jJsCGSnM=
[ctl00$ContentPlaceHolder1$uc_login$txtUser] => test
[ctl00$ContentPlaceHolder1$uc_login$txtPass] => test
[ctl00$ContentPlaceHolder1$uc_login$butLogin] => Login
[__EVENTVALIDATION] => /wEWBwKeiM4xAoi2mfkEAurz/r4MAvTX0jYC+4GopQkCo6iimggC2pO41g77y84VwyhP6Ek+7PGZYDNgOawRZw==
)
This ended up doing the trick.
http://www.mishainthecloud.com/2009/12/screen-scraping-aspnet-application-in.html?showComment=1368565341638#c9104469935977149435
I am trying to login Joomla 1.6/3.0 by curl in PHP but not success.
I had try method from joomla 1.5
$uname = "id";
$upswd = "pswd";
$url = "http://www.somewebpage.com";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url );
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE );
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE );
curl_setopt($ch, CURLOPT_COOKIEJAR, './cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, './cookie.txt');
curl_setopt($ch, CURLOPT_HEADER, FALSE );
$ret = curl_exec($ch);
if (!preg_match('/name="([a-zA-z0-9]{32})"/', $ret, $spoof)) {
preg_match("/name='([a-zA-z0-9]{32})'/", $ret, $spoof);
}
// POST fields
$postfields = array();
$postfields['username'] = urlencode($uname);
$postfields['passwd'] = urlencode($upswd);
$postfields['lang'] = '';
$postfields['option'] = 'com_login';
$postfields['task'] = 'login';
$postfields[$spoof[1]] = '1';
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields);
$ret = curl_exec($ch);
But it 's show forbidden
Joomla! normally from the web browser will send a token, to make sure the form was posted from a browser (and not from somewhere outside, like you are trying to do).
If it's not posted from a browser, an error like 'The most recent request was denied because it contained an invalid security token. Please refresh the page and try again.'
You may want to look for an autentication plugin that supports what you are trying to do. For example the Autologin plugin.
I am trying to upload a image to a gallery on a facebook fan page, here is my code thus far,
$ch = curl_init();
$data = array('type' => 'client_cred', 'client_id' => 'app_id','client_secret'=>'secret_key',' redirect_uri'=>'http://apps.facebook.com/my-application/'); // your connect url here
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, 'https://graph.facebook.com/oauth/access_token');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
$rs = curl_exec($ch);
curl_close($ch);
$ch = curl_init();
$data = explode("=",$rs);
$token = $data[1];
$album_id = '1234';
$file= 'http://my.website.com/my-application/sketch.jpg';
$data = array(basename($file) => "#".realpath($file),
//filename, where $row['file_location'] is a file hosted on my server
"caption" => "test",
"aid" => $album_id, //valid aid, as demonstrated above
"access_token" => $token
);
$ch2 = curl_init();
$url = "https://graph.facebook.com/".$album_id."/photos";
curl_setopt($ch2, CURLOPT_URL, $url);
curl_setopt($ch2, CURLOPT_HEADER, false);
curl_setopt($ch2, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, false);
curl_setopt($ch2, CURLOPT_POST, true);
curl_setopt($ch2, CURLOPT_POSTFIELDS, $data);
$op = curl_exec($ch2);
When I echo $token, I seem to be getting the token, but when I run the script, I get this error, {"error":{"type":"OAuthAccessTokenException","message":"An access token is required to request this resource."} , I have NO idea why it is doing this!
Basically what I am doing in that code is getting the access token with curl, and then, uploading the photo to my album also via curl, but I keep getting that error!
Any help would be appreciated, thank you!
Ok, got it working, here is the code, assuming that you have a valid session going.
$token = $session['access_token'];
//upload photo
$file= 'photo.jpg';
$args = array(
'message' => 'Photo from application',
);
$args[basename($file)] = '#' . realpath($file);
$ch = curl_init();
$url = 'https://graph.facebook.com/me/photos?access_token='.$token;
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $args);
$data = curl_exec($ch);
This will upload the specified image to the session holders gallery, it will create a album if there is not one present, also you can access the token via the session array as demonstrated above.
Hope this helps someone out.
Probably your application doesn't have needed permissions.
To request permissions via OAuth, use
the scope argument in your
authorization request, and include a
comma separated list of all the
permissions you want to request.
http://developers.facebook.com/docs/authentication/permissions