cURL / Mailing Lists / curl-and-php / Single Mail

curl-and-php

Re: redirection and auth?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Fri, 8 Feb 2002 11:07:23 +0100 (MET)

On Fri, 8 Feb 2002, Andres Salomon wrote:

> I've got a url that displays a 301 (permanently moved), and then redirects
> to a password protected page. I would expect that the redirection would be
> completely transparent to the libcurl client, but that doesn't seem to be
> the case; the following code only works without redirection:

You left out a few details that would be interesting, and there's also a
minor missing feature in libcurl here that you might be experiencing.

Does the redirect take you to another host? If so, libcurl will not re-send
the authentication to the new host, only the original one. See below for more
reasoning around this.

If not, then I'd say you're experiencing some kind of bug.

> $curl = curl_init("https://example.com/page.php");
> curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
> //curl_setopt($curl, CURLOPT_HEADER, 1);
> curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
> curl_setopt($curl, CURLOPT_USERPWD, "test:test");
> $result = curl_exec($curl);
>
> $code = curl_getinfo ($curl, CURLINFO_HTTP_CODE);
> print "http code: $code\n";
> print "result: $result\n";
>
> Under normal circumstances, the http code that's returned is a 200
> (successful). However, when the page it tries to access is a redirect, one
> of two things happens. If FOLLOWLOCATION is not set, then it returns a 301
> (moved permanently). This seem to be proper behavior. If FOLLOWLOCATION
> is set, however, a 401 (auth error) is returned. This implies that the
> username/password combination is sent to the redirect page, and is no
> longer available for the page that has been redirected to. This is w/
> php-4.0.6 and libcurl 7.9.1. Is there any way to make this work?

If you would provide us the headers your script receives, together with the
CUROPT_VERBOSE output, we could tell you instantly. (Edit out sensitive data
before posting.)

libcurl does not re-send authentication info to other hosts than the original
one, in order to protect the user somewhat from revealing the info who
whoever the original site owner might decide you redirect you.

A missing feature would be to tell libcurl to skip that extra check or
preferably I think, to provide a list of (other) host names that are
considered OK to pass the information to as well.

Other suggestions or ideas, as well as contributions are welcome.

-- 
    Daniel Stenberg -- curl groks URLs -- http://curl.haxx.se/
Received on 2002-02-08