Implement custom redirect handling to fix lost Set-Cookie on redirects (#2360)

* Implement custom redirect handling to fix lost Set-Cookie on redirects

Fixes #2077 and #2059. Previously RestSharp delegated redirects to
HttpClient (AllowAutoRedirect=true) but set UseCookies=false, so
Set-Cookie headers from intermediate redirect responses were silently
lost. This replaces HttpClient's redirect handling with a custom loop
in ExecuteRequestAsync that processes Set-Cookie at each hop.

Adds RedirectOptions class with fine-grained control over redirect
behavior: FollowRedirectsToInsecure, ForwardHeaders, ForwardAuthorization,
ForwardCookies, ForwardBody, ForwardQuery, MaxRedirects, and
RedirectStatusCodes. Existing FollowRedirects/MaxRedirects properties
delegate to RedirectOptions for backward compatibility.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Address PR review feedback: reduce complexity, fix disposal, fix duplicate cookies

- Extract redirect loop into smaller focused methods (SendWithRedirectsAsync,
  ShouldFollowRedirect, ResolveRedirectUrl, CreateRedirectMessage,
  ParseResponseCookies, AddPendingCookies) to reduce cognitive complexity
- Fix double-dispose warning (S3966) by using previousMessage pattern
  and try/finally for message disposal in SendWithRedirectsAsync
- Fix duplicate Cookie header bug in AddCookieHeaders (remove existing
  parameter before adding merged cookies)
- Add Host/CacheControl headers to redirect request messages
- Add comments for intentional cert validation bypass in HTTPS tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Reduce test code duplication flagged by SonarCloud

- Move shared test endpoints (set-cookie-and-redirect, echo-cookies,
  redirect-no-query, redirect-custom-status) into WireMockTestServer
- Switch CookieRedirectTests to use IClassFixture<WireMockTestServer>
  instead of standalone WireMockServer, eliminating cross-file duplication
- Parameterize verb change tests with [Theory]/[InlineData] (5 tests → 1)
- Parameterize header, auth, query, and HTTPS tests with [Theory]
- Extract CreateClient helper to reduce setup boilerplate
- CookieRedirectTests: 616 → 336 lines (45% reduction)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Strip Authorization header on cross-origin and HTTPS-to-HTTP redirects

Address security concern from PR review: ForwardAuthorization could
leak credentials to unintended hosts on redirect.

- Compare full authority (host+port) against original request URL,
  matching browser same-origin policy
- Always strip Authorization on HTTPS→HTTP redirects (defense-in-depth)
- Add ForwardAuthorizationToExternalHost option (default false) for
  explicit opt-in to cross-origin auth forwarding
- Add tests for cross-host auth stripping and explicit opt-in

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Consolidate cross-host auth tests into parameterized Theory to reduce duplication

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Reduce code duplication: consolidate ForwardBody tests and reuse shared EchoRequest

- Merge ForwardBody_False and ForwardBody_True into a single parameterized Theory
- Replace inline echo-request callback with shared WireMockTestServer.EchoRequest
- Make EchoRequest public for cross-project reuse

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: alexeyzimarev

src/RestSharp/Options/RedirectOptions.cs

@@ -0,0 +1,83 @@
+//  Copyright (c) .NET Foundation and Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+namespace RestSharp;
+
+/// <summary>
+/// Options for controlling redirect behavior when RestSharp handles redirects.
+/// </summary>
+public class RedirectOptions {
+    /// <summary>
+    /// Whether to follow redirects. Default is true.
+    /// </summary>
+    public bool FollowRedirects { get; set; } = true;
+
+    /// <summary>
+    /// Whether to follow redirects from HTTPS to HTTP (insecure). Default is false.
+    /// </summary>
+    public bool FollowRedirectsToInsecure { get; set; }
+
+    /// <summary>
+    /// Whether to forward request headers on redirect. Default is true.
+    /// </summary>
+    public bool ForwardHeaders { get; set; } = true;
+
+    /// <summary>
+    /// Whether to forward the Authorization header on same-host redirects. Default is false.
+    /// Even when enabled, Authorization is stripped on cross-host redirects unless
+    /// <see cref="ForwardAuthorizationToExternalHost"/> is also set to true.
+    /// </summary>
+    public bool ForwardAuthorization { get; set; }
+
+    /// <summary>
+    /// Whether to forward the Authorization header when redirecting to a different host. Default is false.
+    /// Only applies when <see cref="ForwardAuthorization"/> is true. Enabling this can expose credentials
+    /// to unintended hosts if a redirect points to a third-party server.
+    /// </summary>
+    public bool ForwardAuthorizationToExternalHost { get; set; }
+
+    /// <summary>
+    /// Whether to forward cookies on redirect. Default is true.
+    /// Cookies from Set-Cookie headers are always stored in the CookieContainer regardless of this setting.
+    /// </summary>
+    public bool ForwardCookies { get; set; } = true;
+
+    /// <summary>
+    /// Whether to forward the request body on redirect when the HTTP verb is preserved. Default is true.
+    /// Body is always dropped when the verb changes to GET.
+    /// </summary>
+    public bool ForwardBody { get; set; } = true;
+
+    /// <summary>
+    /// Whether to forward original query string parameters on redirect. Default is true.
+    /// </summary>
+    public bool ForwardQuery { get; set; } = true;
+
+    /// <summary>
+    /// Maximum number of redirects to follow. Default is 50.
+    /// </summary>
+    public int MaxRedirects { get; set; } = 50;
+
+    /// <summary>
+    /// HTTP status codes that are considered redirects.
+    /// </summary>
+    public IReadOnlyList<HttpStatusCode> RedirectStatusCodes { get; set; } = [
+        HttpStatusCode.MovedPermanently,  // 301
+        HttpStatusCode.Found,             // 302
+        HttpStatusCode.SeeOther,          // 303
+        HttpStatusCode.TemporaryRedirect, // 307
+        (HttpStatusCode)308,              // 308 Permanent Redirect
+    ];
+}

src/RestSharp/Options/RestClientOptions.cs

@@ -108,12 +108,19 @@ public RestClientOptions(string baseUrl) : this(new Uri(Ensure.NotEmptyString(ba
 #endif
 
     /// <summary>
-    /// Set the maximum number of redirects to follow
+    /// Set the maximum number of redirects to follow.
+    /// This is a convenience property that delegates to <see cref="RedirectOptions"/>.MaxRedirects.
     /// </summary>
 #if NET
     [UnsupportedOSPlatform("browser")]
 #endif
-    public int? MaxRedirects { get; set; }
+    [Exclude]
+    public int? MaxRedirects {
+        get => RedirectOptions.MaxRedirects;
+        set {
+            if (value.HasValue) RedirectOptions.MaxRedirects = value.Value;
+        }
+    }
 
     /// <summary>
     /// X509CertificateCollection to be sent with request
@@ -141,8 +148,18 @@ public RestClientOptions(string baseUrl) : this(new Uri(Ensure.NotEmptyString(ba
 
     /// <summary>
     /// Instruct the client to follow redirects. Default is true.
+    /// This is a convenience property that delegates to <see cref="RedirectOptions"/>.FollowRedirects.
+    /// </summary>
+    [Exclude]
+    public bool FollowRedirects {
+        get => RedirectOptions.FollowRedirects;
+        set => RedirectOptions.FollowRedirects = value;
+    }
+
+    /// <summary>
+    /// Options for controlling redirect behavior.
     /// </summary>
-    public bool FollowRedirects { get; set; } = true;
+    public RedirectOptions RedirectOptions { get; set; } = new();
 
     /// <summary>
     /// Gets or sets a value that indicates if the <see langword="Expect" /> header for an HTTP request contains Continue.

src/RestSharp/Request/RequestHeaders.cs

@@ -35,6 +35,11 @@ public RequestHeaders AddAcceptHeader(string[] acceptedContentTypes) {
         return this;
     }
 
+    public RequestHeaders RemoveHeader(string name) {
+        Parameters.RemoveAll(p => string.Equals(p.Name, name, StringComparison.InvariantCultureIgnoreCase));
+        return this;
+    }
+
     // Add Cookie header from the cookie container
     public RequestHeaders AddCookieHeaders(Uri uri, CookieContainer? cookieContainer) {
         if (cookieContainer == null) return this;
@@ -48,6 +53,7 @@ public RequestHeaders AddCookieHeaders(Uri uri, CookieContainer? cookieContainer
 
         if (existing?.Value != null) {
             newCookies = newCookies.Union(SplitHeader(existing.Value!));
+            Parameters.Remove(existing);
         }
 
         Parameters.Add(new(KnownHeaders.Cookie, string.Join("; ", newCookies)));