David Byron wrote:
> the details of the conversation, but hopefully this is helpful. This is
> what I do:
>
> - click on a URL to start IE. This URL does a GET. Before it gives me
> the page, I do the authentication. Here's (a slightly sanitized version
> of) what happens:
...
> - Now I click on a button on the page to do a POST. Here's what
> happens:

That is helpful, thanks, but another test is needed to test a POST
that is _not_ preceded by an authorised GET on the same connection.
This is a more likely usage for libcurl users.

(Sending a Content-Type multipart with Content-Length: 0 is weird and
nasty. It would be especially nasty if the didn't already know it was
an authenticated NTLM connection that would respond with a 401 to that
form of POST request and Authenticate header.)

Could you do the following?:

   1. Save the GET'd form locally, as a file.

   2. Add a BASE element to the document, containing the original URL
      of the form. This is added in the <head> section:

         <base href="http://myhost:myport/curltest-auth/uploadform.htm" />

      (If there's a BASE element already, no need to add one).

   3. Close IE or something like that, to ensure the POST will
      definitely open a new connection to the server.

   4. Visit the file using IE. Post to the form. Trace what happens.

Please check that the POST happens over a new HTTP connection, not
re-using an already authenticated NTLM connection.

Thanks,
-- Jamie
Received on 2004-11-05