{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Melony? 的问题《should authorization be kept when redirection is h》','https://www.manongdao.com/q-766401.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
If I (HTTP client) connect to the server with authentication parameters (username/password) and the server sends me 301 response (permanent redirect), should my HTTP client automatically send username/password with a request going to the new location?
The question is about the standard and best practices - I couldn't find anything definite in RFC 2616 and RFC 2617 .
I don't know if this helps you at all, but most of the posts I've seen regarding this have said that the Authorization header should be removed for redirects. There are a few bugs on github with people asking for the Authorization header to be removed because it is the standard.
"Unfortunately, when the redirect is completed, the Authorization header is removed from the new request." http://blogs.msdn.com/b/paulking/archive/2011/03/31/how-to-lose-your-authorization-head-er-with-a-bad-url.aspx
"The Authorization header is cleared on auto-redirects and HttpWebRequest automatically tries to re-authenticate to the redirected location." http://msdn.microsoft.com/en-us/library/system.net.httpwebrequest.allowautoredirect.aspx
https://github.com/mikeal/request/issues/450
http://lists.apple.com/archives/webkitsdk-dev/2011/Mar/msg00004.html