On Wed, 26 Nov 2008, Menner May wrote:

>> Under exactly what conditions are you finding this happens?
>
> The circumstances are: The redirects are always staying on the same host.
> And it's always https.

Right. This happens because (lib)curl doesn't consider the path part for when
to send the authentication (again) but only the host name so it'll continue to
send the same Authorization: as long as the same host is re-used.

This seems like a violation against RFC2617 section 2:

    A client SHOULD assume that all paths at or deeper than the depth of
    the last symbolic element in the path field of the Request-URI also
    are within the protection space specified by the Basic realm value of
    the current challenge. A client MAY preemptively send the
    corresponding Authorization header with requests for resources in
    that space without receipt of another challenge from the server.
    Similarly, when a client sends a request to a proxy, it may reuse a
    userid and password in the Proxy-Authorization header field without
    receiving another challenge from the proxy server.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ:        http://curl.haxx.se/docs/faq.html
Etiquette:  http://curl.haxx.se/mail/etiquette.html