Bugs item #3489445, was opened at 2012-02-19 12:59
Message generated for change (Settings changed) made by bagder
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3489445&group_id=976

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: http
Group: new feature request
>Status: Closed
Resolution: Invalid
Priority: 5
Private: No
Submitted By: Mailhot (nmailhot)
Assigned to: Daniel Stenberg (bagder)
Summary: Handle HTTP error 511 Network Authentication Required

Initial Comment:
Since
http://code.google.com/p/chromium/issues/detail?id=7338 and
https://bugzilla.mozilla.org/show_bug.cgi?id=479880

there is no clean way for a proxy or captive portal to get a web client to
display an authentication dialog when user credentials expire while he is
browsing on an https url.

(to be sure, the previous methods were insecure and hackish but they existed
because nothing better was available)

The IETF finally set up to fix this problem and defined a standard HTTP error
that lets access control equipments tell the web client authentication or
re-authentication is needed and where the authentication form is located.

http://tools.ietf.org/id/draft-nottingham-http-new-status-04.txt

→ <http://www.rfc-editor.org/queue2.html#draft-nottingham-http-new-status> (the
spec is approved and in the queue for publication as RFC)

Please add error 511 handling in curl so curl users can authenticate on new-style proxies too

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2012-02-20 02:51

Message:
1 - The 511 response is no different than any other 5xx response in how
much data that should be read and handled from the server and I think curl
already does this exactly how it should. Are you aware of any flaws?

2 - curl (and libcurl) are HTTP clients but they are no browsers and know
no browsers and they cannot handle HTML in any shape or form. It also
cannot launch browsers. That's not the job of curl, that's the job of
someone who's using (lib)curl.

curl and libcurl handle basic auth perfectly fine, but A) that won't be
easily deduced from the 511 response and B) hardly *any* captive portable
I've ever seen uses basic auth, they all pretty unconditionally use form
and cookie based authentication.

How can auth pages make our lives easier? Since I believe they are browser
and HTML centric I don't think they can do a lot. Captive portals are a
pain for everything that isn't a browser and they are made for browsers.

----------------------------------------------------------------------

Comment By: Mailhot (nmailhot)
Date: 2012-02-19 21:44

Message:
There are several possible ways of handling it:
1. at minimum, pause or stop and tell the user authentication is required
on the page indicated by the error
2. if you have some way to know a browser is present: launch it on the form
page

Also while I agree trying to handle every possible html form would be a
mess, the page indicated in error 511 will usually just require basic auth
over https : can't you handle that?

I there are some ways the auth page can make your life easier: can you
define what they are, and just ask the ietf to document them in further
revisions of the rfc?

----------------------------------------------------------------------

Comment By: Daniel Stenberg (bagder)
Date: 2012-02-19 14:23

Message:
The 511 is meant to respond with a (link to a) HTML form. How are you
suggesting curl would act on that?

----------------------------------------------------------------------

You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=100976&aid=3489445&group_id=976
Received on 2012-05-07