cURL / Mailing Lists / curl-library / Single Mail

curl-library

Regression in 7.28 (and 7.27) with HTTP Digest authentication and connection reuse

From: Nick Zitzmann <nick_at_chronosnet.com>
Date: Fri, 12 Oct 2012 17:34:07 -0600

I didn't see this on the list of known bugs. I found a problem today where, if a server advertises support for HTTP Digest authentication and libcurl authenticates with the server successfully, and then re-uses the connection, then the next attempt to fetch something that requires authentication will fail. This does not happen when using HTTP Basic authentication to authenticate with the server.

Specifically, what happens is:

1. The app using libcurl creates a new easy handle and configures it with the URL, authentication information, etc.
2. libcurl opens a connection to the server
3. libcurl sends an HTTP request
4. The server returns HTTP 401 (as expected)
5. libcurl automatically rewinds and sends another request to the URL, this time with an Authorization header (correct behavior)
6. The server returns the requested information
7. The app using libcurl calls curl_easy_perform() again on the same easy handle with a URL pointing to the same server
8. Re-using the connection, libcurl sends an HTTP request, but does not print the Authorization header (oops, that's not expected behavior)
9. The server returns HTTP 401
10. libcurl gives up and returns an authentication error to the app

This used to work as expected in the older version of libcurl that this particular project was using, which was 7.23.1.

After a lot of searching, I finally figured out what caused this regression. It was this commit:
<https://github.com/bagder/curl/commit/ce8311c7e49eca93c136b58efa6763853541ec97>

The code in that commit zeros out the authentication state in Curl_pretransfer(), which means if we knew that the server wanted digest authorization in the past, we sure didn't anymore. If I comment out that code, then the regression goes away, so I was wondering:

1. Why do we do this?
2. Can we take this out, or can we change this so the zeroing out only happens the first time that particular server/user name/password combination is used? As it is, it is breaking connection re-use and digest authentication. (And apps using libcurl should be able to re-use connections with Digest authentication.)

Nick Zitzmann
<http://www.chronosnet.com/>

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-10-13