NSURLRequest lost HTTP header “Authorization” while redirecting the request
Asked Answered
G

1

8

We have a problem with downloading files from the server in background mode. The HTTP header “Authorization” field is lost while redirecting the request to another server.

We made some experiments and noticed that other fields (even the same but with underscore symbol at the end “Authorization_”) work perfectly in redirect. Looks like this field is erased according to some security reasons like if different servers use different authentication data.

It is possible to append “Authorization” field manually in foreground mode using

URLSession:task:willPerformHTTPRedirection:newRequest:completionHandler:

method. There’s a problem when we tried to use redirect request in background mode. Because according to the documentation "Tasks in background sessions automatically follow redirects.”.

I cannot find anything about skipping this field in RFC 2616, but suppose that probably there’s some undocumented solution to save “Authorization” field during redirect in background mode.

Let me assume that our front-end server may provide some special field in redirect response that would say that redirected server is trusted and we can use “Authorization” field without any modifications.

That is just an idea and probably we have to use it somehow else. Could you direct us please?

Geniagenial answered 30/4, 2014 at 12:28 Comment(0)
G
3

'Authorization' header is one from the 'special' headers that are advised not to be modified. This is from Apple's documentation (LINK):

The NSURLConnection class and NSURLSession classes are designed to handle various aspects >of the HTTP protocol for you. As a result, you should not modify the following headers:

  • Authorization
  • Connection
  • Host
  • WWW-Authenticate
Grafting answered 22/5, 2014 at 18:11 Comment(1)
Thank you, Rafał. I had a conversation with Apple engineer on WWDC Lab about this question and he agreed that it could be good solution to use some custom field like "Authorization_" (with underscore). Looks like a hack, but it works in background as expectedGeniagenial

© 2022 - 2024 — McMap. All rights reserved.