Should redirection authorization be allowed?

Question

Should redirection authorization be allowed?

If I (an HTTP client) connects to a server with authentication parameters (username / password), and the server sends me a 301 response (permanent redirect), should my HTTP client automatically send a username / password with a request sent to a new location ?

The question is about standard and best practices - I did not find anything specific in RFC 2616 and RFC 2617.

+7

redirect http http-redirect

Eugene Mayevski 'Allied Bits Jun 13 '13 at 16:26

source share

1 answer

Darlene · Accepted Answer · 2013-06-14T20:24:33+0000

I don’t know if this will help you at all, but most of the messages I saw on this subject said that the authorization header should be removed for redirection. There are a few bugs on github when people ask to remove the authorization header as it is standard.

"Unfortunately, when the redirect is completed, the authorization header is removed from the new request." http://blogs.msdn.com/b/paulking/archive/2011/03/31/how-to-lose-your-authorization-head-er-with-a-bad-url.aspx

"The authorization header is cleared by auto-forwarding, and HttpWebRequest automatically tries to re-authenticate at the redirected location." http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.allowautoredirect.aspx

https://github.com/mikeal/request/issues/450

http://lists.apple.com/archives/webkitsdk-dev/2011/Mar/msg00004.html

Should redirection authorization be allowed?

More articles: