net/http: regression caused by copying headers in redirects #17494
Comments
@dsnet did you mean CL https://go-review.googlesource.com/#/c/28930? |
@odeke-em, that is correct. Thank you. |
CL https://golang.org/cl/31435 mentions this issue. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
http://golang.org/cl/28930 caused a regression. The CL in question fixes #4800 by automatically copying the headers when following a redirect. In the situation where the initial request has some cookie set and one of the redirects sets the cookie to a different value, we should change the cookies sent in subsequent requests to use newly set cookies.
This pattern is used by some login logic where credentials are stored in the cookies. Suppose the client has a stale auth cookie and makes a request. The server redirects the client to some other page to obtain a new auth cookie (and gets redirected back to the original page). When the client redirects back to original page, it presents both the stale and new auth cookie, which confuses the server. Since the server still thinks the client is not logged in, it sends it through the redirect loop again.
Minimum reproducing case:
On go1.7, I see:
On go1.8dev, I see:
/cc @bradfitz
The text was updated successfully, but these errors were encountered: