-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Alright, so this message sums up what I understand about the way HTTP authentication currently works, how I think it should work, and what I'm intending to do as a stop-gap fix for 1.11.
HOW IT WORKS NOW: As I understand it, --user and --password causes wget to blindly supply, via the Basic authentication mechanism, the user and password supplied with these options, for every URI on every host that wget encounters (unless overridden via a "user:pass@" specification). When wget is given a URI with the "user:pass@" deal, wget will use that username and password to fetch that specific URI, but no others: not images, not any other URIs in deeper paths, nothing. It's a one-time deal. When information is given via "user:pass@", this information appears in the Referer field to resources obtained via recursion. HOW IT SHOULD WORK: When "user:pass@" is specified, Wget should record that information, but send nothing by default. Once it receives a challenge, it should record the auth mechanism, realm and protection-space information for the challenge, and feel free to issue its response on all further URIs within the relevant protection space (for the Basic mechanism, the protection space is the relevant URI and all URIs deeper, and any URIs on the same host for which the server issues a challenge with the same realm; for the Digest mechanism, the protection space is either explicitly defined, or else consists of the entire server). In no event should the user:pass@ information be sent in the Referer header; ideally, it should be parsed out at the very beginning, recorded as just described, and then removed from the URI before it is used any further. - --user and --pass can then become essentially equivalent to prefixing every command-line-specified URI with "user:pass@" information: it will wait until challenged, and limit future authenticated responses to the appropriate protection spaces (and, in particular, not automatically use them for each and every request, regardless of host). While we're on the subject, authentication info should be readable from a file, and certainly from the terminal with local echo turned off. At some point, users should be able to describe protection-spaces and associate user/pass info with them. HOW IT WILL WORK IN WGET 1.11: The above, however, is too much work to get done before our next release. What I propose to do in the meantime is: . user:pass@ will still affect just one URI; however, it will wait for a challenge before authenticating. . --user and --password will wait for a challenge before authentication. If the challenge mechanism is Basic, it will assume the protection space is the entire host (which will be tracked with a simple hash table). Digest and NTLM will be forgotten after each authentication, just as happens currently. . Put warnings in the documentation. - -- Micah J. Cowan Programmer, musician, typesetting enthusiast, gamer... http://micah.cowan.name/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGoBCD7M8hyUobTrERCLr2AKCIh74J+M4gBEgAggbU4Gu0hUwRWACfUWPO jk14WJBoCe9QAOZ27Te+txg= =sglP -----END PGP SIGNATURE-----