在处理重定向时是否应该保留授权？ [英] should authorization be kept when redirection is handled?

问题描述

如果我（HTTP客户端）使用身份验证参数（用户名/密码）连接到服务器并且服务器向我发送301响应（永久重定向），我的HTTP客户端是否应自动发送用户名/密码并请求转到新位置？

If I (HTTP client) connect to the server with authentication parameters (username/password) and the server sends me 301 response (permanent redirect), should my HTTP client automatically send username/password with a request going to the new location?

问题是关于标准和最佳实践 - 我在RFC 2616和RFC 2617中找不到任何明确的内容。

The question is about the standard and best practices - I couldn't find anything definite in RFC 2616 and RFC 2617 .

推荐答案

我不知道这对你有什么帮助，但我见过的大部分帖子都说过应该删除授权标头以进行重定向。 github上有一些bug，人们要求删除Authorization标头，因为它是标准的。

I don't know if this helps you at all, but most of the posts I've seen regarding this have said that the Authorization header should be removed for redirects. There are a few bugs on github with people asking for the Authorization header to be removed because it is the standard.

不幸的是，当重定向完成时，Authorization标头从新请求中删除。
http://blogs.msdn.com/b/paulking/archive/2011/03/31/how-to-lose-your-authorization-head-er-with-a-bad-url。 aspx

"Unfortunately, when the redirect is completed, the Authorization header is removed from the new request." http://blogs.msdn.com/b/paulking/archive/2011/03/31/how-to-lose-your-authorization-head-er-with-a-bad-url.aspx

自动重定向时清除授权标头，HttpWebRequest会自动尝试重新验证重定向位置。
http://msdn.microsoft.com/en-us/ library / system.net.httpwebrequest.allowautoredirect.aspx

"The Authorization header is cleared on auto-redirects and HttpWebRequest automatically tries to re-authenticate to the redirected location." http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.allowautoredirect.aspx

https://github.com/mikeal/request/issues/450

http://lists.apple.com/archives/webkitsdk-dev/2011/Mar/msg00004.html

这篇关于在处理重定向时是否应该保留授权？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！