Behavior seen (with curl_multi - may happen with easy too):
Url A is accessed using auth. Url A redirects to Url B (on a different server0. Url B reuses a persistent connection. Url B has auth, even though it's on a different server.
Note: if Url B does not reuse a persistent connection, auth is not sent.
data->state.first_host is not initialized becuase Curl_http_connect is not called when a connection is reused.
move initialization of data->state.first_host to Curl_http. No code before Curl_http uses data->state.first_host anyway.
Patch might also fix issue at http://curl.haxx.se/mail/lib-2009-04/0354.html