2012/4/13 Joe Mason <jmason_at_rim.com>:
> As I understand HTTPAUTH, if I get a URL and the server returns a 401 response with a "WWW-Authenticate" header, I should resend the request with an Authorization header.  And if I understand curl, it's supposed to be able to construct the Authorization header behind the scenes.

No and yes. You should not resend the same request, because curl
actually does it for you if you supply the credentials.

>
> I've found that whenever I do this, when I call perform on the second request, curl actually sends 2 requests - one with Authorization and one without.
>
> [...]
>
> So clearly what's happening here is that when I call perform the second time, curl sends a second request without the Authorized header (to which my server sends another 401) followed by the request with Authorization (to which my server sends 200).
>
> Am I doing something wrong?

It depends. If you really need to analyze the headers returned by the
first request and then decide to send authenfication inside your own
code, you are probably ok.
But generally speaking curl also handles the is-auth-required-check
for you. This is why an additional request is made and you do not need
to perform the very first request yourself. Just tell curl the
username and password from the first request on and it will handle
everything for you.

I don't know any option to disable this behavior, because I think it
is part of the HTTP spec.

Best regards,
Marc

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-04-14