[cas-dev] CAS Services, AJAX, & session timeout

[Robert Winch]

We are implementing CAS and have come across some interesting scenarios when
using CAS Services and AJAX. These scenarios appear when a timeout occurs
within the CAS Service and the requested resource is returned after SSO but
there is no longer any javascript to process the response.

Here is the flow of the scenario.

* A user logs in successfully to a CAS Service and the web browser is left
open on a CAS Service until the session on the CAS Service times out
* The user then clicks a link that triggers an Ajax request to be made
* At this point the response would contain a HTTP 302 redirect back to the
CAS Server with the service parameter pointing to the requested resource. In
this case the resource is a response that needs to be processed by
Javascript as the response is not complete on its own (the javascript
normally processes it somehow). When receiving this redirect I wonder what
should be done with the 302. I feel it is reasonable that the javascript
will redirect the browser or an iframe to the 302 if it is a different
domain (to avoid cross site scripting issues); this is true even outside of
CAS protocol. Is this a reasonable assumption? What if the CAS Server was
present on the same domain? Can the javascript handle things more
transparently at this point?
* The CAS Server eventually returns a ticket to the service URL that was
originally requested.  The browser then returns the Ajax response which is
not a complete response on its own (the javascript that calls it needs to
handle it but is no longer present).

My question is has anyone dealt with similar issues? Are there recommended
practices for dealing with this?

Thanks in advance,
Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas-dev/attachments/20080515/c012d9cd/attachment.html