Golang net/http: Cookies and Authorization header not preserved during redirects

Go version

go version go1.24.2 windows/amd64

Output of go env in your module/workspace:

AR=ar
CC=gcc
CGO_CFLAGS=-O2 -g
CGO_CPPFLAGS=
CGO_CXXFLAGS=-O2 -g
CGO_ENABLED=1
CGO_FFLAGS=-O2 -g
CGO_LDFLAGS=-O2 -g
CXX=g++
GCCGO=gccgo
GO111MODULE=
GOAMD64=v1
GOARCH=amd64
GOAUTH=netrc
GOBIN=
GOCACHE=C:\Users\R0ld3\AppData\Local\go-build
GOCACHEPROG=
GODEBUG=
GOENV=C:\Users\R0ld3\AppData\Roaming\go\env
GOEXE=.exe
GOEXPERIMENT=
GOFIPS140=off
GOFLAGS=
GOGCCFLAGS=-m64 -mthreads -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=C:\Users\R0ld3\AppData\Local\Temp\go-build2776025708=/tmp/go-build -gno-record-gcc-switches
GOHOSTARCH=amd64
GOHOSTOS=windows
GOINSECURE=
GOMOD=C:\Users\R0ld3\Videos\teraboxapigolang\go.mod
GOMODCACHE=C:\Users\R0ld3\go\pkg\mod
GONOPROXY=
GONOSUMDB=
GOOS=windows
GOPATH=C:\Users\R0ld3\go
GOPRIVATE=
GOPROXY=https://proxy.golang.org,direct
GOROOT=C:\Program Files\Go
GOSUMDB=sum.golang.org
GOTELEMETRY=local
GOTELEMETRYDIR=C:\Users\R0ld3\AppData\Roaming\go\telemetry
GOTMPDIR=
GOTOOLCHAIN=auto
GOTOOLDIR=C:\Program Files\Go\pkg\tool\windows_amd64
GOVCS=
GOVERSION=go1.24.2
GOWORK=
PKG_CONFIG=pkg-config

What did you do?

package main

import (
    "fmt"
    "net/http"
)

func main() {
    client := &http.Client{}

    req, err := http.NewRequest("GET", "https://httpbin.org/redirect-to?url=https://example.com", nil)
    if err != nil {
        panic(err)
    }
    req.Header.Set("Authorization", "Bearer token123")
    req.AddCookie(&http.Cookie{Name: "sessionid", Value: "testsession"})

    resp, err := client.Do(req)
    if err != nil {
        panic(err)
    }
    defer resp.Body.Close()

    fmt.Println("Final response status:", resp.Status)
}

The server responds with a 302 redirect. http.Client follows the redirect but does not forward the Authorization header or cookies from the initial request.

Proposed fix / workaround:

client.CheckRedirect = func(req *http.Request, via []*http.Request) error {
    if len(via) > 0 {
        originalReq := via[0]
        for _, cookie := range originalReq.Cookies() {
            req.AddCookie(cookie)
        }
        for key, values := range originalReq.Header {
            if key == "Cookie" || key == "Authorization" {
                for _, value := range values {
                    req.Header.Add(key, value)
                }
            }
        }
    }
    return nil
}

This copies cookies and authentication headers from the original request to the redirected one, keeping the session/authentication intact.

---

What did you see happen?

Redirected requests are missing the Authorization header and cookies from the original request, causing authentication/session loss.

What did you expect to see?

Redirected requests should preserve cookies and Authorization headers so that authenticated flows continue to work across redirects, similar to browser behavior.