Add comment about Cookie behavior to HttpClientHandler.AllowAutoRedirect (dotnet#8092)

MihaZupan · web-flow · commit 1925f3b7de01 · 2022-05-24T06:50:53.000-07:00
* Add comment about Cookie behavior to HttpClientHandler.AllowAutoRedirect

* Add xrefs
diff --git a/xml/System.Net.Http/HttpClientHandler.xml b/xml/System.Net.Http/HttpClientHandler.xml
@@ -154,7 +154,9 @@ These configuration options are not available starting with .NET 5.
 
  If <xref:System.Net.Http.HttpClientHandler.AllowAutoRedirect%2A> is set to `false`, all HTTP responses with an HTTP status code from 300 to 399 are  returned to the application.
 
- The Authorization header is cleared on auto-redirects and the handler automatically tries to re-authenticate to the redirected location. In practice, this means that an application can't put custom authentication information into the Authorization header if it is possible to encounter redirection. Instead, the application must implement and register a custom authentication module.
+ The Authorization header is cleared on auto-redirects and the handler automatically tries to re-authenticate to the redirected location. No other headers are cleared. In practice, this means that an application can't put custom authentication information into the Authorization header if it is possible to encounter redirection. Instead, the application must implement and register a custom authentication module.
+
+ If you are using cookies by specifically adding them to the <xref:System.Net.Http.HttpRequestMessage.Headers> collection, these are not cleared when a redirect is followed, as the handler has no way of knowing what domain a cookie is allowed for. If you want to mimic browser behavior, use the <xref:System.Net.CookieContainer> class which allows you to specify the target domain for a cookie.
 
 > [!NOTE]
 >  With <xref:System.Net.Http.HttpClientHandler.AllowAutoRedirect%2A> set to `true`, the .NET Framework will follow redirections even when being redirected to an HTTP URI from an HTTPS URI.
diff --git a/xml/System.Net.Http/SocketsHttpHandler.xml b/xml/System.Net.Http/SocketsHttpHandler.xml
@@ -147,7 +147,9 @@ These configuration options are not available starting with .NET 5.
 
  If <xref:System.Net.Http.SocketsHttpHandler.AllowAutoRedirect%2A> is set to `false`, all HTTP responses with an HTTP status code from 300 to 399 are returned to the application.
 
- The Authorization header is cleared on auto-redirects and the handler automatically tries to re-authenticate to the redirected location. In practice, this means that an application can't put custom authentication information into the Authorization header if it is possible to encounter redirection. Instead, the application must implement and register a custom authentication module.
+ The Authorization header is cleared on auto-redirects and the handler automatically tries to re-authenticate to the redirected location. No other headers are cleared. In practice, this means that an application can't put custom authentication information into the Authorization header if it is possible to encounter redirection. Instead, the application must implement and register a custom authentication module.
+
+ If you are using cookies by specifically adding them to the <xref:System.Net.Http.HttpRequestMessage.Headers> collection, these are not cleared when a redirect is followed, as the handler has no way of knowing what domain a cookie is allowed for. If you want to mimic browser behavior, use the <xref:System.Net.CookieContainer> class which allows you to specify the target domain for a cookie.
 
 > [!NOTE]
 >  The handler never follows a redirection from HTTPS to HTTP even if <xref:System.Net.Http.SocketsHttpHandler.AllowAutoRedirect%2A> is set to `true`.
