0

I'm working on an web application which can authenticate users using two HTTP request headers fields: user and role.

Using the company's SSO service, I would like to achieve the following:

user --> SSO --> header(location: http://app, \
                        user    : username,   | --> application
                        role    : rolename)   /

Basically, I would like to redirect the user on application from the SSO page. The SSO page is a small PHP script which finds the correct username and role, and then perform calls to the header() function:

  header('user: username');
  header('role: rolename');
  header('location: http://application/login');

The problem is that the fields user and role seems to be removed during the redirection (I'm using Chrome with the HTTP headers extension to monitor the process).

Also, when I'm setting the headers manually (using the modify headers Chrome extension), everything works fine. So I presume the web application is not the problem.

Last thing: I'm not the developer of the web application, which is a commercial product. So, there is no way for me to modify the application itself.

Thank you very much in advance for any help :)

JPC
  • 264
  • 2
  • 7

2 Answers2

0

In a nutshell: the server does not control which headers the client sends on the next request. What you're setting there are response headers, headers that go with the response from the server to the client. They're supposed to provide information to the client. The client may or may not then produce another request to the server, for which it chooses solely by itself which headers to send.

The only "persistent" headers are cookies, which is exactly their purpose. If that's not an option, for example because the domains differ, you'll have to pass the information through as query parameters in the URL you're redirecting to.

Alternatively you need to do everything via AJAX, where you can control the sent headers yourself using Javascript.

deceze
  • 510,633
  • 85
  • 743
  • 889
0

There's no way to preserve headers on redirect. See this question on SO:

How to forward headers on HTTP redirect

Community
  • 1
  • 1
Pavel Lint
  • 3,252
  • 1
  • 18
  • 18