diff --git a/requests/sessions.py b/requests/sessions.py
index e262aa32..ae7390c5 100644
--- a/requests/sessions.py
+++ b/requests/sessions.py
@@ -158,6 +158,21 @@ class SessionRedirectMixin(object):
             prepared_request._cookies.update(self.cookies)
             prepared_request.prepare_cookies(prepared_request._cookies)
 
+            # If we get redirected to a new host, we should strip out any
+            # authentication headers.
+            original_parsed = urlparse(resp.request.url)
+            redirect_parsed = urlparse(url)
+
+            if (original_parsed.hostname != redirect_parsed.hostname and
+                   'Authorization' in headers):
+                del headers['Authorization']
+
+            # However, .netrc might have more auth for us. Let's get it if it
+            # does.
+            new_auth = get_netrc_auth(url) if self.trust_env else None
+            if new_auth is not None:
+                prepared_request.prepare_auth(new_auth)
+
             resp = self.send(
                 prepared_request,
                 stream=stream,