Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

should authorization be kept when redirection is handled?

Tags:

redirect

http

http-redirect

If I (HTTP client) connect to the server with authentication parameters (username/password) and the server sends me 301 response (permanent redirect), should my HTTP client automatically send username/password with a request going to the new location?

The question is about the standard and best practices - I couldn't find anything definite in RFC 2616 and RFC 2617 .

like image 906
Eugene Mayevski 'Callback Avatar asked Jun 13 '13 16:06

Eugene Mayevski 'Callback

People also ask

How do you handle redirects?

If you want to ensure search engines are able to pick up on redirects quickly, then make sure to use server-side redirects. If content has moved permanently, use a 301 redirect. If it has moved temporarily, use a 302 redirect. Back button: client-side redirects break the Back button.

What are redirect rules?

A Redirect rule instructs the client (usually a browser) to switch URLs and navigate to the destination of the rule. Redirect rules are typically used for old paths that you'd like to redirect to new ones.

Is redirect URI mandatory in oauth2?

Because to obtain access token you must send redirect_uri value with client creds. If actual redirect_uri was "leaky" and not equal real redirect_uri Client will not be able to obtain access_token for this code. redirect_uri is the callback for the Client to receive the Authorization Code .

1 Answers

I don't know if this helps you at all, but most of the posts I've seen regarding this have said that the Authorization header should be removed for redirects. There are a few bugs on github with people asking for the Authorization header to be removed because it is the standard.

"Unfortunately, when the redirect is completed, the Authorization header is removed from the new request." http://blogs.msdn.com/b/paulking/archive/2011/03/31/how-to-lose-your-authorization-head-er-with-a-bad-url.aspx

"The Authorization header is cleared on auto-redirects and HttpWebRequest automatically tries to re-authenticate to the redirected location." http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.allowautoredirect.aspx

https://github.com/mikeal/request/issues/450

http://lists.apple.com/archives/webkitsdk-dev/2011/Mar/msg00004.html

like image 125
Darlene Avatar answered Oct 01 '22 22:10

Darlene
Sign in to Comment

Related questions

Implementation of server-side responses to long polling via REST API
Trigger download dialog right after headers received
Tomcat process time is small but nginx shows it is big
Using Ruby to post an XML request to a webserver
What are the required HTTP headers fields
Chrome and Safari caching 302 redirect
Send sensitive data using POST+application/x-www-form-urlencoded
Can an ASP.NET HttpHandler handle an http 400 - Bad Request?
Node.js http request pipelining
How to close a request in nodejs?
RunTimeError: ActionController::RackDelegation in rspec 2.10.1 for rails 3.1.4 application controller
How to test nginx proxy timeouts
HTTP: what are the relations between pipelining, keep-alive and Server Sent Events?
http:/relative/path officially works?
Stream the response body of an HTTP GET to an HTTP POST with Ruby
Make netcat discard all bytes after disconnect
Why dio posts empty form data?
API Get requires Content-Type application/json;charset=UTF-8 - Issue with Http Client
how to parse http request in c++
Simulating a remote website locally for testing

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!