带有自定义标头的 MVC 重定向 [英] MVC Redirect with custom headers
问题描述
希望这对外面的人来说是一个简单的问题.
Hopefully this is a simple question for someone out there.
基本上在收到对我的 MVC 控制器的请求后,我想:
Basically upon receiving a request to my MVC controller, I want to:
- 向响应添加授权"标头
- 重定向到另一个域上的另一个应用程序
- 阅读此外部站点上的授权"标题.
似乎是重定向行为,去掉了我所有的自定义标头和重定向.
It appears the act of redirecting, strips out all my custom headers and redirects.
我的问题是,如何添加新标头,并执行重定向,并让该标头显示在接收主机的标头中 [在重定向结束时] 读取?
My question, how can I add a new header, AND perform a redirect, AND have that header show up in the headers for the receiving host [at the end of the redirect] to read?
推荐答案
你不能.这不是 HTTP 的工作方式.首先,重定向"只是一个 301、302 或(自 HTTP 1.1 起)307 状态代码,其中 Location 标头设置为客户端应访问的 URL.客户端向该 URL 发起请求,因此您无法控制它们发送的标头.
You can't. That's not how HTTP works. First, a "redirect" is just a 301, 302, or (since HTTP 1.1) 307 status code with the Location header set to the URL the client should go to. It's the client that initiates the request to that URL, so you have no control over what headers they send.
其次,HTTP 是无状态的,因此 Authorization 标头在某个时间点在某个响应中发送的事实对任何未来请求中发生的任何事情具有零影响.Web 浏览器和其他 HTTP 客户端通过在服务器端使用会话和在客户端使用 cookie 来绕过 HTTP 的无状态特性.客户端将 cookie 与请求一起发送到服务器.该 cookie 与服务器会话存储中的一个项目相匹配,服务器从该会话加载数据以显示状态已被维护.
Second, HTTP is stateless, so the fact that an Authorization header was sent in some response at some point has zero bearing on anything that happens in any future requests. Web browsers and other HTTP clients skirt around the stateless nature of HTTP by using sessions on the server-side and cookies on the client side. The client sends the cookie to the server with the request. The cookie matches an item in the session store on the server, and the server loads up the data from that session to give the appearance as though state was maintained.
第三,cookie 在这种情况下不起作用,因为它们是域绑定的,并且不会与请求一起发送到并非源自它们的域.因此,即使您创建会话来维护授权,其他站点也永远不会看到它.
Third, cookies don't work in this situation, because they are domain bound and are not sent along with requests to domains they did not originate from. So, even if you were to create session to maintain the authorization, the other site would never see it.
FWIW,这里的基本前提,与不同的域共享身份验证状态,正是 OAuth 等技术的开发目的.所以直接在这个方向上进行未来的研究.
FWIW, the basic premise here, sharing authentication state with a different domain, is exactly what technologies like OAuth were developed for. So direct future research in that direction.
这篇关于带有自定义标头的 MVC 重定向的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
