How does --anyauth work? Is it pinging the server first, then
examining the returned headers to see what kind of auth might be being
demanded?

I know I've seen a couple of servers that wouldn't work properly if I
pile right in and hand it an auth with the first call. I have to hit
the server first without auth, then again with auth. I think it's a
cookie issue, not a curl problem. The server just doesn't understand
the auth without the cookie, or something equally irritating...

Ralph

On 4/20/05, Daniel Stenberg <daniel-curl_at_haxx.se> wrote:
> On Tue, 19 Apr 2005, Ralph Mitchell wrote:
>
> > I'll leave it to Daniel to decide if curl should be switching from Basic to
> > Digest in mid-stream. What you could try next would be to *tell* curl to
> > send Digest Auth the first time around:
>
> --anyauth is what curl provides if you want let curl check for available auth
> methods and then pick the "best" it supports.
>
> libcurl has no support for "try this method, and if this fails try next
> method" so we'd need to make this change in there first to allow such an
> option. I see how it could be useful, but also how this wget approach is
> rather bad:
>
> Now wget first sends the password in plain text, only to find out that the
> server wants to use a safer method that doesn't require you to send the
> password in plain... So, you've added round-trips and still shown your
> password to eavesdroppers.
>
> --
> Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
>
Received on 2005-04-20