cURL / Mailing Lists / curl-and-php / Single Mail

curl-and-php

Re: redirection and auth?

From: Andres Salomon <dilinger_at_mp3revolution.net>
Date: Fri, 8 Feb 2002 13:43:12 -0500

On Fri, Feb 08, 2002 at 11:07:23AM +0100, Daniel Stenberg wrote:
>
> On Fri, 8 Feb 2002, Andres Salomon wrote:
>
> > I've got a url that displays a 301 (permanently moved), and then redirects
> > to a password protected page. I would expect that the redirection would be
> > completely transparent to the libcurl client, but that doesn't seem to be
> > the case; the following code only works without redirection:
>
> You left out a few details that would be interesting, and there's also a
> minor missing feature in libcurl here that you might be experiencing.
>
> Does the redirect take you to another host? If so, libcurl will not re-send
> the authentication to the new host, only the original one. See below for more
> reasoning around this.

Depends on what libcurl considers a new host. The redirect goes from
foo.com to www.foo.com; this is handled by different apache vhosts (I
have no idea _why_ it's not just a serveralias, but that's a different
discussion). Same TLD, same SSL cert, different vhost.

>
> If not, then I'd say you're experiencing some kind of bug.
>
> > $curl = curl_init("https://example.com/page.php");
> > curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
> > //curl_setopt($curl, CURLOPT_HEADER, 1);
> > curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
> > curl_setopt($curl, CURLOPT_USERPWD, "test:test");
> > $result = curl_exec($curl);
> >
> > $code = curl_getinfo ($curl, CURLINFO_HTTP_CODE);
> > print "http code: $code\n";
> > print "result: $result\n";
> >
> > Under normal circumstances, the http code that's returned is a 200
> > (successful). However, when the page it tries to access is a redirect, one
> > of two things happens. If FOLLOWLOCATION is not set, then it returns a 301
> > (moved permanently). This seem to be proper behavior. If FOLLOWLOCATION
> > is set, however, a 401 (auth error) is returned. This implies that the
> > username/password combination is sent to the redirect page, and is no
> > longer available for the page that has been redirected to. This is w/
> > php-4.0.6 and libcurl 7.9.1. Is there any way to make this work?
>
> If you would provide us the headers your script receives, together with the
> CUROPT_VERBOSE output, we could tell you instantly. (Edit out sensitive data
> before posting.)
>

BIO_read (0x81814e8, 0x8188948, 7)
BIO_read (0x81814e8, 0x818894f, 72)
BIO_read (0x81814e8, 0x8188948, 5)
BIO_read (0x81814e8, 0x818894d, 845)
BIO_read (0x81814e8, 0x8188948, 5)
BIO_read (0x81814e8, 0x818894d, 397)
BIO_read (0x81814e8, 0x8188948, 5)
BIO_read (0x81814e8, 0x818894d, 4)
BIO_read (0x81814e8, 0x8188948, 5)
BIO_read (0x81814e8, 0x818894d, 1)
BIO_read (0x81814e8, 0x8188948, 5)
BIO_read (0x81814e8, 0x818894d, 40)
* SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: /C=US/ST=VA/L=Chantilly/O=Plesk
* Inc./CN=plesk.com/Email=support_at_plesk.com
* start date: 2000-11-10 23:24:41 GMT
* expire date: 2001-11-10 23:24:41 GMT
* issuer: /C=US/ST=VA/L=Chantilly/O=Plesk
* Inc./CN=plesk.com/Email=support_at_plesk.com
* Connected to bar.foo.com (192.168.0.100)
> GET /awesom/backend/server.php HTTP/1.1
Authorization: Basic dGVzdDp1YnRlc3Q=
Host: bar.foo.com
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

BIO_read (0x81814e8, 0x8188948, 5)
BIO_read (0x81814e8, 0x818894d, 696)
* Follow to new URL:
* https://www.bar.foo.com/awesom/backend/server.php
* Connection #0 left intact
* Follows Location: to new URL:
* 'https://www.bar.foo.com/awesom/backend/server.php'
BIO_read (0x81931e0, 0x819c650, 7)
BIO_read (0x81931e0, 0x819c657, 72)
BIO_read (0x81931e0, 0x819c650, 5)
BIO_read (0x81931e0, 0x819c655, 845)
BIO_read (0x81931e0, 0x819c650, 5)
BIO_read (0x81931e0, 0x819c655, 397)
BIO_read (0x81931e0, 0x819c650, 5)
BIO_read (0x81931e0, 0x819c655, 4)
BIO_read (0x81931e0, 0x819c650, 5)
BIO_read (0x81931e0, 0x819c655, 1)
BIO_read (0x81931e0, 0x819c650, 5)
BIO_read (0x81931e0, 0x819c655, 40)
* SSL connection using EDH-RSA-DES-CBC3-SHA
* Server certificate:
* subject: /C=US/ST=VA/L=Chantilly/O=Plesk
* Inc./CN=plesk.com/Email=support_at_plesk.com
* start date: 2000-11-10 23:24:41 GMT
* expire date: 2001-11-10 23:24:41 GMT
* issuer: /C=US/ST=VA/L=Chantilly/O=Plesk
* Inc./CN=plesk.com/Email=support_at_plesk.com
* Connected to www.bar.foo.com (192.168.0.100)
> GET /awesom/backend/server.php HTTP/1.1
Host: www.bar.foo.com
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

BIO_read (0x81931e0, 0x819c650, 5)
BIO_read (0x81931e0, 0x819c655, 824)
* Connection #1 left intact
result: HTTP/1.1 301 Moved Permanently
Date: Fri, 08 Feb 2002 16:58:15 GMT
Server: Apache/1.3.19 (Unix) mod_perl/1.24_01 mod_throttle/2.11
PHP/4.0.6 FrontPage/4.0.4.3 mod_ssl/2.8.3 OpenSSL/0.9.6b
Location: https://www.bar.foo.com/awesom/backend/server.php
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 401 Authorization Required
Date: Fri, 08 Feb 2002 16:58:16 GMT
Server: Apache/1.3.19 (Unix) mod_perl/1.24_01 mod_throttle/2.11
PHP/4.0.6 FrontPage/4.0.4.3 mod_ssl/2.8.3 OpenSSL/0.9.6b
WWW-Authenticate: Basic realm="valid-user"
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>401 Authorization Required</TITLE>
</HEAD><BODY>
<H1>Authorization Required</H1>
This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.<P>
<HR>
<ADDRESS>Apache/1.3.19 Server at www.bar.foo.com Port 443</ADDRESS>
</BODY></HTML>

* Closing connection #0
* Closing connection #1

I think an option that told it to skip the extra step if the cert for
both sites were exactly the same, or something, would be useful..

>
> libcurl does not re-send authentication info to other hosts than the original
> one, in order to protect the user somewhat from revealing the info who
> whoever the original site owner might decide you redirect you.
>
> A missing feature would be to tell libcurl to skip that extra check or
> preferably I think, to provide a list of (other) host names that are
> considered OK to pass the information to as well.
>
> Other suggestions or ideas, as well as contributions are welcome.
>
> --
> Daniel Stenberg -- curl groks URLs -- http://curl.haxx.se/
>
>
>

(Again, CC: replies to me)

-- 
"I think a lot of the basis of the open source movement comes from
  procrastinating students..."
	-- Andrew Tridgell <http://www.linux-mag.com/2001-07/tridgell_04.html>
Received on 2002-02-08