Hi Ara

> the login works - the cookie is returned.  however, the login page is 
> supposed
> to bounce you back to http://rubyforge.org/my/, as you can see by the 302
> (FOUND) status code and the ["Location", "/my/"] header. 

I am pretty sure that the HTTP spec requires that a Location header content
is a full, absolute URL including protocol and server. The behaviour
of treating a 'broken' relative URL in a Location header by joining to 
the server
in the original request is pervasive among user agents, but I think 
http-access2
is probably entitled not to implement it.

On a really pernickety reading of the HTTP spec, I think 303 is the correct
response for the server to issue in these circumstances (redirecting a
POST to a GET), but I've never seen it "in the wild".

> am i doing something wrong or is this a bug?

Neither :) ... but I can't see there would be much harm in http-access2
emulating this widespread 'broken' behaviour - a change request?

alex