Reputation: 1
Authorization header is not send on redirect
I am trying to redirect to a new location and passing the authorization bearer. But it seems that the bearer token is not send.
I am doing this in my php code
header('Authorization: Bearer ' . $retval);
header('Location:http://nextsite.com/home/index', true, 301);
exit();
I have enabled the Authorization in my .htaccess file
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
And I am able to call the site with a cURL call where bearer token is send trough without problems.
I am running php version 8.3 Server version: Apache/2.4.52 (Ubuntu) Server built: 2024-07-17T18:57:26
I have tried many things, change the order of the header calls, the capitalization of the authorization/bearer without any lock.
Upvotes: 0
Views: 53
Answers (1)
Reputation: 108
What you are doing with this code is sending response headers to the browser. You are not sending anything to any server.
The second line
header('Location:http://nextsite.com/home/index', true, 301);
tells the browser that it is supposed to send a GET request to the given URL (btw: there should be a space between "Location:" and "http..."). The Authorization header line will very likely be ignored. At least, I never heard of browsers taking this into account. I also think it's a serious security risk to send auth tokens in response headers to the browser.
And one more hint: The browser may follow the given redirect URL or not. You can't rely on this.
Upvotes: 0
Related Questions
- How do I make a redirect in PHP?
- Authentication versus Authorization
- What's the difference between JWTs and a Bearer Token?
- Bearer Authorization denied in api using cURL
- Authorization header is empty on PHP var_dump()
- Apache "destroying" Authorization header
- Why do we prefer Authorization Header to send bearer token to server over other techniques like URL encoding
- Authorization header not making it through in Codeception API testing
- Authorization header is not set with PHP cURL
- Yii Curl wrapper set Authorization header