Why headers are cleaned when protection = skip ?
Hi,
I don't understand the need to clean defined headers (see https://jira.ow2.org/browse/#728) when protection is skipped. Does anyone has an idea ?
I fully agree that for unprotect, this is needed for security reasons, but I assume that skip means "no protection at all", and thus the backend should never authenticate the user on his "skip endpoints".
If there is no need to clean headers, the correction could be (version 1.9.5) :
--- Handler/Main.pm.old 2016-10-28 10:58:42.175487761 +0200
+++ Handler/Main.pm 2016-10-28 10:59:28.600006266 +0200
@@ -316,7 +316,7 @@
'debug' );
$class->updateStatus('SKIP');
$class->hideCookie;
- $class->cleanHeaders;
+ #$class->cleanHeaders; # Don't clean headers when skip protection is on
return OK;
}