On Fri, Jan 01, 2016 at 03:42:11PM -0500, Karl Dahlke wrote:
> > My issue here is with any fancy redirects we may encounter.
> 
> The "stop and ask" where to download the file happens after all the redirects.
> We have the actual url, cookies set,
> authorizing user password if any, it's all in place,
> and it all runs when restarted.
> I don't think there's a problem here.

If people play nice then no, but my worry is single access downloads where a
HEAD request may be special cased to not trigger the download lock,
but a GET request may alter the cookie such that a subsequent GET to the same
URL actually requires re-running all the fancy js-based auth in front of the 
download.
It's probably unlikely but I can certainly imagine implementing such a system
in certain circumstances and think it's worth handling if we can.

Cheers,
Adam.