Hello,

I have a special HTTP server which expect Authorization header with `Basic'
method and refuses bad password with 401 HTTP code and header WWW-Authenticate
with special `totp' method.

My problem is cURL (7.27.0) stops sending Authorization after first such 401
response.

Setting CURLOPT_HTTPAUTH, CURLOPT_USERNAME, or CURLOPT_PASSWORD again does not
help. Even calling curl_easy_reset() does not help. The only solution is to
use fresh new CURL handle.

This is log from the server, see the Authorization header is missing in
second attempt:

Connection accepted
Request: <POST /asws/changePassword HTTP/1.1>
Request-URI: </asws/changePassword>
Header: <Authorization: Basic Zm9vOmJhcjE=>
Header: <Host: localhost:59547>
Header: <Accept: */*>
Header: <Content-Length: 274>
Header: <Content-Type: application/x-www-form-urlencoded>
Body of size 274 B has been received
Authenticating basic: got=<Zm9vOmJhcjE=>, expected=<YWxmYTpiZXRhZ2FtYQ==> (alfa:betagama)
Response: <HTTP/1.0 401 Unauthorized>
Response: <WWW-Authenticate: totp realm="SimulatedISDSServer">
Response: <X-Response-message-code: authentication.error.userIsNotAuthenticated>
Response: <X-Response-message-text: Retry: Bad user name or password in second OTP phase.
 This is very long header
 which should span to more lines.
   Surrounding LWS are meaning-less. >
Response: <Content-Length: 0>
Response: <>
Body of size 0 B has been sent
Connection accepted
Request: <POST /asws/changePassword HTTP/1.1>
Request-URI: </asws/changePassword>
Header: <Host: localhost:59547>
Header: <Accept: */*>
Header: <Content-Length: 274>
Header: <Content-Type: application/x-www-form-urlencoded>
Body of size 274 B has been received
Response: <HTTP/1.0 401 Unauthorized>
Response: <WWW-Authenticate: totp realm="SimulatedISDSServer">
Response: <X-Response-message-code: authentication.error.userIsNotAuthenticated>
Response: <X-Response-message-text: Client did not send any authentication header>
Response: <Content-Length: 0>
Response: <>
Body of size 0 B has been sent

The CURL client is very simple:

for (int i = 0 ; i < 2; i++) {
    curl_easy_reset(handle);
    if (!error)
        error = curl_easy_setopt(handle, CURLOPT_URL, url);
    if (!error)
        error = curl_easy_setopt(handle, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
    if (!error)
        error = curl_easy_setopt(handle, CURLOPT_USERNAME, username);
    if (!error)
        error = curl_easy_setopt(handle, CURLOPT_PASSWORD, password1);
    if (!error)
        error = curl_easy_setopt(handle, CURLOPT_POST, 1);
    if (!error)
        error = curl_easy_setopt(handle, CURLOPT_POSTFIELDS, body);
    if (!error)
        error = curl_easy_setopt(handle, CURLOPT_POSTFIELDSIZE, strlen(body));
    if (!error)
        error = curl_easy_perform(handle);
}

I understand cURL tries to be smart and not to send the Authorization header
if method requested by server mismatches.

Could you confirm this is the reason?

Am I right it's not possible reset the authentication method in the handle
now?

Could you consider adding such a reset in newer release? Or could you consider
making this method negotion voluntary? E.g. driven by new option?

(If you are courious who produced such a cripled server, then the answer is my
(Czech) government.)

-- Petr

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html