> > There's still a problem: curl sends the basic authentication header
> > again and again on all subsequent redirected GETs.
>> I don't think it should be doing that unless you are using the
>> --location-trusted option.
> Under exactly what conditions are you
> finding this happens?

The circumstances are:
The redirects are always staying on the same host.
And it's always https.

I used the --anyauth and --location options, but not --location-trusted.
(and --user, --socks4a, --cookie-jar, -o, -v, -k)

As far as I remember, the sequence is now (I can provide some information
from the -v output tomorrow.)

#1 (original path)
GET /path/app?par=filename

HTTP/1.x 302 Moved Temporarily
Location: /basicbcaaa/protected/basicbcaaa/?par=BASE64ENCODEDSESSION==

#2 (redirect to sign on application)
GET /basicbcaaa/protected/basicbcaaa/?par=BASE64ENCODEDSESSION==

HTTP/1.x 401 Unauthorized
WWW-Authenticate: BASIC realm="WWW2 basic"

#3 (sign on)
GET /basicbcaaa/protected/basicbcaaa/?par=BASE64ENCODEDSESSION==
Authorization: Basic aBcDeFaBcDeFaBcDeFaBcDeF

HTTP/1.x 302 Moved Temporarily
Location: /path/app?par=filename;cookiename=cookievalue
Set-Cookie: SSOCookie=BASE64ENCODED-SSOTOKEN==; Path=/

#4 (redirect to original application, with session id)
GET /path/app?par=filename;somename=somevalue
Authorization: Basic aBcDeFaBcDeFaBcDeFaBcDeF
Cookie: SSOCookie=BASE64ENCODED-SSOTOKEN==

HTTP/1.x 302 Moved Temporarily
Location: /path/app?par=filename

#5 (again, original request, this time with some cookies)
GET /path/app?par=filename
Authorization: Basic aBcDeFaBcDeFaBcDeFaBcDeF
SSOCookie=BASE64ENCODED-SSOTOKEN==

HTTP/1.x 200 OK
Content-Type: application/x-download

Menner
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2008-11-26