Is there some HTTP response header intended for authentication/credentials-data except for Set-Cookie?
I am working on an HTTP API which transfer authentication tokens in cookies. I need to add support for a legacy system which supports all HTTP headers except Set-Cookie / Cookie.
When the user logs on, currently the server submits the token to the client in a Set-Cookies header. First I was thinking that I'll just make an implementation where I submit the token to the client in a custom header, like MyOwnHeader: TheToken, but then I read that this then may be cached by proxies and could lead to security issues. I read that most proxies skipped caching of Set-Cookies.
I could put the token in a HTTP response body, but then renewal of expired tokens become more complex. If it's included in a HTTP response header, it can be sent from the server to the client in any request when it's nearing expiration (just as is common for Set-Cookies).
After the client has logged on, it will submit the authentication token to the server in an Authorization-header. So my issue is related to submitting the token from the server to the client.
