> What are you proposing we should do?
I acknowledge that the CURLOPT_HTTPAUTH is set per transfer. So if I set
CURLAUTH_DIGEST, curl should really try Digest and in the same manner I
understand that CURLAUTH_ANY* is also set "per transfer". Strictly interpreted
this should require curl to renegotiate for every single transfer that is
requested.
But at the same time CURLAUTH_ANY* is a bit loosely defined ("libcurl will
automatically select the one it finds most secure"). I don't know if there are
RFC:s that require a new negotiation with the host for each new request?
Otherwise, I think curl should be a bit free to use whatever auth method works
best for the moment. That is, the user has not set any fixed requirements and
we already have an existing authentication with the host, that at least earlier
was the most secure and best matched.
So for example, for Digest an extra roundtrip to get the nonce-value for the
next message will be needed. But for Basic, it should only be a matter of
continuing to add the basic auth headers when we have an existing basic-auth
authentication with the host. (Assuming the user has not changed credentials
between requests.) If a 401 is received (unlikely), a new "negotiation" can be
made, potentially resulting in something else than Basic and the message can be
resent.
I guess this optimization will mostly be for Basic, maybe it could be used for
some other auth methods. You probably know that best. But even if it's only
implemented for Basic, that has to be the most common auth method used, so it
will be valuable anyway.
--
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
