cURL / Mailing Lists / curl-library / Single Mail


Re: Repeated HTTP Authorization after 401 response with uknown method

From: Petr Pisar <>
Date: Tue, 28 Aug 2012 09:44:48 +0200

On Mon, Aug 27, 2012 at 08:22:57PM +0000, Joe Mason wrote:
> > From: curl-library [] on behalf of Petr Pisar
> > []
> >
> > I think special option mandating sending the Authorization header not
> > matter what would the best one.
> Well, IMHO this definitely shouldn't work without a curl_easy_reset: once
> the server has sent a 401 without Basic, curl knows the server doesn't
> accept Basic auth and shouldn't send it. (It's ok for curl to send Basic
> auth with its first request, before its received a 401, since that will save
> a roundtrip if the server happens to accept it.)
> In theory doing a curl_easy_reset should cause curl to forget all details of
> the previous responses, so it should go back to sending your Basic auth.
> But there was a recent bug with this, which should be fixed now.
> Aha. The fix was made just AFTER the 7.27.0 release. Try downloading the
> most recent code from git and compiling that to see if it fixes your
> problem.
I checked the head 4c070de4fb01b4fbf29f8c463ba96da97b36bd2f and it behaves as
I want. I verified reverting

commit ce8311c7e49eca93c136b58efa6763853541ec97
Author: Joe Mason <>
Date: Fri Jul 27 17:25:45 2012 -0400

    Zero out auth structs before transfer

restores the previous (7.27.0) behaviour.

In addition I tried to figure out what everything has to be re-set to get
Authorization header in second request and it looks like nothing special is
needed. No curl_easy_reset(), no setting no CURLOPT_PASSWORD even no

So I'm more than satisfied with current master head. I'm just not sure it
matches your idea exactly. (Maybe I should note the server I use closes
connection after each request.)

-- Petr

List admin:

  • application/pgp-signature attachment: stored
Received on 2012-08-28