cURL / Mailing Lists / curl-library / Single Mail


RE: cUrl and challenge-response authentication (NTLM)

From: Yehezkel Horowitz <>
Date: Mon, 2 Jan 2012 17:27:20 +0200

>I agree that it could make sense with a mode that makes libcurl hold the
headers for a while and if it can deal with them itselves for auth reasons etc it would hide them completely from the application. That same logic (or
similar) could also hide headers for 30X redirects as it has the similar

I agree that this logic should be applied also for "follow redirects" option.

I don't understand why curl need to keep the headers, it should only pass the headers of the last response, since in this mode the application declare that it just want to know the "bottom line".
   In case of authentication you should get "401 Unauthorized" only if this is final answer.
   In case of redirects it you should get the final response headers (for which you'll also get the body).

As far as I understand from curl code, curl already save the needed information (Auth challenge / redirect Location) from the intermediate responses so this point is already covered.

Another point I noticed, that I can't use NTLM authentication with CURLOPT_FORBID_REUSE (since NTLM provide authentication per connection).

I think that if curl will handle all this inside, it should also work when CURLOPT_FORBID_REUSE is used - it should close the connection only when it passes the data to the application.

List admin:
Received on 2012-01-02