NTLM: handle auth for only a single request

Currently when the server responds with 401 on NTLM authenticated connection (re-used) we consider it to have failed. However this is legitimate and may happen when for example IIS is set configured to 'authPersistSingleRequest' or when the request goes thru a proxy (with 'via' header). Implemented by imploying an additional state once a connection is re-used to indicate that if we receive 401 we need to restart authentication. Closes #363
2024-11-16 06:25:03 -05:00 · 2015-08-04 02:20:23 +03:00 · 2015-08-04 02:20:23 +03:00 · fe6049f04b
commit fe6049f04b
parent 7f11259eb7
1 changed files with 8 additions and 1 deletions
--- a/lib/curl_ntlm.c
+++ b/lib/curl_ntlm.c
@ -84,7 +84,11 @@ CURLcode Curl_input_ntlm(struct connectdata *conn,
      ntlm->state = NTLMSTATE_TYPE2; /* We got a type-2 message */
    }
    else {
-      if(ntlm->state == NTLMSTATE_TYPE3) {
+      if(ntlm->state == NTLMSTATE_LAST) {
+        infof(conn->data, "NTLM auth restarted\n");
+        Curl_http_ntlm_cleanup(conn);
+      }
+      else if(ntlm->state == NTLMSTATE_TYPE3) {
        infof(conn->data, "NTLM handshake rejected\n");
        Curl_http_ntlm_cleanup(conn);
        ntlm->state = NTLMSTATE_NONE;
@ -211,6 +215,9 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy)
  case NTLMSTATE_TYPE3:
    /* connection is already authenticated,
     * don't send a header in future requests */
+    ntlm->state = NTLMSTATE_LAST;
+
+  case NTLMSTATE_LAST:
    Curl_safefree(*allocuserpwd);
    authp->done = TRUE;
    break;