add_authentication won't work if the url required basic authen is redirected from the external system

[idxn]

trafficstars

Let's say we have an ecommerce website, create an order and go to checkout for payment. If the website redirect user to payment gateway and when get redirected back after successfully make a payment to its origin ecommerce website, the ecommerce website still require the basic authen.

[rasjani]

I made a testcase to cover this and did some inspection on how chrome & firefox works in this area and here are my findings:

If SL Test goes into a page that requires basic authentication, and url is injected with auth details, login should succeed and the browser "session" should have Authorization headers.

Next in my test, i used httpbin to do redirection, item in the get payload points to a sub page of the test app that also requires this Authorization header.

Whenn httpbin redirects the browser back to sub page, Authorization header is still in the requests.

This makes me think that

1. You have not "Authorized" succesfully in the ecommerce site before you are being redirected to payment site. Could you verify that this is on the case and if it is, could you just do separate auth step ?
2. Payment site has some sort of redirection scheme that doesnt follow my reproduction method.
3. Something completely different like iframes ? ;D

[idxn]

1. It should be successful. If not, we cannot do anything on the site.
2. This might be the case. I haven't looked into the raw request/response yet. Will look into it further and let you know if I have any more progress.
3. No iframe for sure.

[idxn]

@rasjani I found the cause. The reason is that the host in redirected url from payment gateway is a little bit difference. It's payment.xxxx.com instead of www.xxxx.com so adding to url won't work.