Xamarin-android: AndroidClientHandler doesn't clear Authorization header on redirect

Created on 4 Jul 2018  路  3Comments  路  Source: xamarin/xamarin-android

We have discovered that the AndroidClientHandler transmits all headers when following redirects with AllowAutoRedirect=true. I could not find any authoritative info how this should be handled, however the HttpClientHandler seems to clear the Authorization header when redirecting (see https://github.com/dotnet/corefx/blob/master/src/System.Net.Http/src/System/Net/Http/SocketsHttpHandler/RedirectHandler.cs).
From my testing, it appears the NSUrlSessionHandler does so too.

Should we change the AndroidClientHandler to be more consistent with the other platforms on this issue?

VS bug #737231

bug vs-sync
Source
picture dominik-weber

Most helpful comment

@spouliot I meant to say the NSUrlSessionHandler does clear the auth header, just as the HttpClientHandler does. Sorry for the confusion 馃檨

picture dominik-weber on 8 Nov 2018
😄1 👍1

All 3 comments

From my testing, it appears the NSUrlSessionHandler does so too.

@dominik-weber can you double check that ? our own tests show the NSUrlSessionHandler behaviour to be fine - maybe a different handler was used?

spouliot picture spouliot on 8 Nov 2018

@spouliot I meant to say the NSUrlSessionHandler does clear the auth header, just as the HttpClientHandler does. Sorry for the confusion 馃檨

dominik-weber picture dominik-weber on 8 Nov 2018
😄1 👍1

This fix was applied to d15-9 via commit c0813c522e3dae40c6a79be727f84beaa0f7e6fe, and has been released in Xamarin.Android 9.1 SR4.

jonpryor picture jonpryor on 15 Dec 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

EmilAlipiev picture EmilAlipiev  路  3Comments
sdebruyn picture sdebruyn  路  3Comments
jamesmontemagno picture jamesmontemagno  路  3Comments
jonpryor picture jonpryor  路  3Comments
rusanov-vladimir picture rusanov-vladimir  路  4Comments