Specify headers to be stored in session

lib/auth/types/AuthType.js

@@ -119,6 +119,7 @@ export default class AuthType {
                 authType: this.type,
                 authHeaderName: this.authHeaderName,
                 allowedHeaders: union(this.requestHeadersWhitelist, this.allowedAdditionalAuthHeaders),
+                headersToStoreInSession: this.allowedAdditionalAuthHeaders,
                 authenticateFunction: this.authenticate.bind(this),
                 validateAvailableTenants: this.validateAvailableTenants
             }

lib/session/sessionPlugin.js

@@ -17,6 +17,7 @@ internals.config = Joi.object({
     authType: Joi.string().allow(null),
     authHeaderName: Joi.string(),
     allowedHeaders: Joi.array().default([]),
+    headersToStoreInSession: Joi.array().default([]),
     authenticateFunction: Joi.func(),
     validateAvailableTenants: Joi.boolean().default(true),
     validateAvailableRoles: Joi.boolean().default(true)
@@ -119,7 +120,7 @@ const register = function (server, options) {
                 // If we used any additional auth headers when authenticating, we need to store them in the session
                 authResponse.session.additionalAuthHeaders = null;
                 if (Object.keys(additionalAuthHeaders).length) {
-                    authResponse.session.additionalAuthHeaders = additionalAuthHeaders;
+                    authResponse.session.additionalAuthHeaders = filterAuthHeaders(additionalAuthHeaders, settings.headersToStoreInSession);
                 }
 
                 request.cookieAuth.set(authResponse.session);