cURL / Mailing Lists / curl-library / Single Mail


Re: Re: Re: [PATCH] http: avoid auth failure on a duplicated header

From: Daniel Stenberg <>
Date: Thu, 17 Jul 2014 13:28:22 +0200 (CEST)

On Thu, 17 Jul 2014, Michael Osipov wrote:

> WWW-Authenticate: Basic ream="A"
> WWW-Authenticate: Basic ream="B"
> That makes no sense and is incorrect.

Is it really? What if it has two overlapping realms and offer you to login to
any of them to access that resource?

I'm fully convinved you will find servers out there returning headers like

>> $ curl --verbose --basic -u michael-o:secret http://<host> -o /dev/null

> The client has never been challenged to authenticate but performs preemptive
> auth, thus disclosing his password.

Yes, because you're asking for it!

>> I don't see a need for --preemptive.
> The above shows the need.

I disagree. Use --anyauth instead of --basic and it'll probe and use whatever
method the server and curl agree to use.

If there's a missing option it would then rather be one that allows you to say
"I only want to use {basic,digest,ntlm,...} but I still want to probe first" -
which libcurl can do but that ability isn't exposed to the command line tool

List admin:
Received on 2014-07-17