On Fri, 13 May 2011 00:05:40 +0200 (CEST), Daniel Stenberg <dan...@haxx.se> wrote:
>On Thu, 12 May 2011, Ibraheem wrote: > > ... > >> 1) In my test environment, it was crashing in http_negotiate_sspi.c due to >> the fact that after the first Curl_output_negotiate , a call to cleanup >> clears the neg_ctx->output_token but not the length of it, which causes >> problems in the next Curl_input_negotiate. So clearing the length of the >> token in cleanup solves it. > >Can you provide a patch so that we don't misunderstand? Attached you find a patch that fixes the problem (and changes the order of some initialization statements to make them appear somewhat more logical, now I had to read them back myself). Unfortunately, in my original implementation, I didn't test two subsequent calls in the same session. >> 2) In every client-server request, it re-authenticates, is it by design? > >No. Interesting to see how different browsers deal with this: - Chrome and Firefox behave like curl: every subsequent request starts afresh, ie. not using any knowledge that a subsequent request may also need negotiate authentication - IE already adds a Negotiate header if it knows that a particular path uses Negotiate authentication. This saves one round trip per request. NTLM remembers that a connection is already authenticated, and apparently doesn't need any additional authentication for subsequent requests on the same connection. Cheers, Marcel ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
