cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: Problem with NEGOTIATE-Proxy-Authentication and not reusing underlying TCP-Connections

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 23 Oct 2014 11:11:55 +0200 (CEST)

On Thu, 23 Oct 2014, Stefan Bühler wrote:

>> Connection-based authentication methods are violators of the HTTP spec and
>> thus we handle them separately from the "normal" ones. We need to start
>> handling Negotiate as we handle NTLM I guess.
>
> I still think the current Digest behaviour is broken too;

Can you show that with some source code or a test case?

> curl_easy_cleanup + curl_easy_init shouldn't behave differently than
> curl_easy_reset, but the former destroy the Digest state and the latter
> keeps it

This is documented behavior! curl_easy_reset() keeps state but resets all
user-settable options back to default. curl_easy_init() of course has no state
at all.

I'm not sure I see the benefit in also throwing away the state in
curl_easy_reset().

It is important to remember that libcurl works with _transfers_, not single
connections and not single requests. The easy handle is an association to that
transfer and while you can reset the options of the transfer, it still is a
handle to a transfer or state generated from the previous one. If you close
the handle, there's no association left to any previous transfer. Then there's
only connections remaining and connections only have a subset of the state
info.

I think you need to motivate this better than just operation A should be the
same as operation B if you think we should change it.

> Basic proxy-authentication just happens to work because it reuses the
> previous proxy-authentication header, but it doesn't look like it is on
> purpose - I'm pretty sure the internal flags don't represent the "we just
> did Basic auth".

Yes it is on purpose. We even have test cases that break connections and
maintain authentication.

> So I think the best way would be to throw away the proxy-authentication
> header the same way as the normal header (without switch and special cases),
> and keep the authentication state in the connection.

Definately not.

It would introduce performance regressions and would even completely break
some use cases. There are sites and servers that will break connections "in
the middle" of authenticated "sessions". It would even completely break some
servers that never do persistent connections but yet require authentication.

-- 
  / daniel.haxx.se

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-23