cURL / Mailing Lists / curl-library / Single Mail


RE: cUrl and challenge-response authentication (NTLM)

From: Daniel Stenberg <>
Date: Mon, 2 Jan 2012 23:05:26 +0100 (CET)

On Mon, 2 Jan 2012, Yehezkel Horowitz wrote:

> I agree that this logic should be applied also for "follow redirects"
> option.
> I don't understand why curl need to keep the headers, it should only pass
> the headers of the last response, since in this mode the application declare
> that it just want to know the "bottom line".

> In case of authentication you should get "401 Unauthorized" only if this
> is final answer.

I can easily come up with one case right now and I suspect there are others
if we just give it some more thoughts.

Assume your application enables authentication with a specific subset of
authentication types. When the 401 response comes libcurl doesn't know if it
is the final or not, so it will have to keep all headers around until after it
has gotten the "Authorization:" headers as if the server only wants types you
don't know or use, the 401 is the final one and otherwise it is not.

> Another point I noticed, that I can't use NTLM authentication with
> CURLOPT_FORBID_REUSE (since NTLM provide authentication per connection).

Right. However that's a bug we should be able to fix without the above
mentioned change being strictly necessary.

> I think that if curl will handle all this inside, it should also work when
> CURLOPT_FORBID_REUSE is used - it should close the connection only when it
> passes the data to the application.

Not in the case of redirection following. And you still would want this to
work properly even when this new suggested mode is disabled...

List admin:
Received on 2012-01-02