I'm thinking if the redirect is to a different hostname, I'd probably want the authentication to not be passed to the 2nd host. Perhaps it would be safe enough to simply say if it's a different domain, then don't pass it along. Of course, these "safety" features are usually rules implemented (and sometimes overridable) within a browser, and curl isn't a browser... And depending on which one you're talking to, "the same domain" might mean a different number of "."s. I can also imagine circumstances where I might only want the authentication to apply to the actual URL I specified, and no other page, even on the same host.

Personally I'd vote for intentionally treating the two methods of user:pass specification (A & B as you described) differently:

  -u would pass the authentication info on to whatever you're redirected to,
  and http://user:password would only apply to the URL you specified.

And I would add this: somehow allow -u to specify which hosts or URLs it applies to. For example:

  -u user:password@*.microsoft.com applies to all Micro$~1 servers,

  -u user:password_at_msdn.microsoft.com/workshop/* applies to all URLs on msdn.microsoft.com starting with /workshop/

This would cover all scenarios: both the ones where you don't care which URLs -u applies to, and those cases where you do, with as much flexibility as you could possibly desire.

--Kevin

>>> Daniel Stenberg <daniel_at_haxx.se> 3/19/01 9:28 AM >>>
Curl has two ways of enabling HTTP basic user authentication:
 A) curl -u user:password http://host.com
or
 B) curl http://user:password@host.com
Now, imagine that the site sends a redirect to another absolute URL (without
user+password in the URL of course) and we tell curl to follow that Location:
header.
What should curl do with the authentication data in the second request?
Received on 2001-03-19