I'm trying to log into a MediaWiki 1.28 site using the API and a standalone PHP script, but it keeps failing with the error "invalid token." I can successfully retrieve a login token:
$tokenRequest = array( 'action' => 'query', 'format' => 'json', 'meta' => 'tokens', 'type' => 'login', );
But when I issue my "action=clientlogin" request, I always get the error "code=badtoken, info = invalid token":
$loginRequest = array( 'action' => 'clientlogin', 'format' => 'json', 'logintoken' => $token, 'loginreturnurl' => 'https://example.com/', 'username' => $username, 'password' => $password, 'domain' => 'mydomain', 'rememberMe' => 1, );
I suspect the problem is that the two requests are not explicitly being made in the same session. That is, I'm not adding the header "Cookie: <session cookie>" to my second HTTP POST. How do I retrieve the session cookie after issuing my meta=tokens request so I can hand it to the client login request? In earlier versions of MediaWiki, I could get the cookie information from an API call, "action=login". This has been deprecated but I haven't seen any examples of the new way to do it, just generic instructions like "Clients should handle cookies to properly manage session state."
I'm not operating inside the MediaWiki codebase with its WebRequest, SessionManager, etc. classes -- this is a standalone script.
Thank you, DanB