Browser doesn't follow redirect from an AJAX response (PHP-generated response is using CAS authentication)

php jquery ajax cas
Biagio Arobba picture Biagio Arobba · Apr 6, 2012 · Viewed 9.8k times · Source

Ok, It looks like I made a mistake with my initial question. So, here are some corrections. The answer still applies, because the second redirect is stopped when there is a change in protocol to HTTPS (SSL).

In my case, I have a redirect occurring multiple times, and the browser doesn't follow the second redirect. The first redirect is followed but returns an error.

I keep reading that JavaScript AJAX responses containing redirects are followed automatically, but it look like not in my case. The first redirect is automatically followed by the browser, and the first redirect is returned without following the second redirect in the header. My problem is that I want all the redirects to be automatically followed by the browser.

The redirects are part of the phpCAS library. I have an API written in PHP which checks the user authentication, each time, before returning the results.

Here is the sequence. The main thing to note is that the browser returns the second response, after following 1 redirect. I would prefer it went all the way and returned the last response when I make an AJAX call to localhost/example/api.

localhost/example

  • Calls localhost/example/api using jQuery.ajax()

Response 1: localhost/example/api

  • Redirects to https://localhost/accounts/cas/login?service=api.example.com&gateway=true (using SSL).

Response 2: (SSL) localhost/accounts/cas/login?service=api.example.com&gateway=true

  • When the query key 'gateway' is present, the login simply redirects back to the URL provided by the 'service' key with or without a ticket (to signal to service that the user is either logged in or not).

Response 3: localhost/api?ticket=TICKET

  • Verifies the ticket and redirects back to itself without the ticket.

Response 4: localhost/api

  • This time the CAS client looks at the $_SESSION to remember what the ticket was, and then processes the API request returning JSONP.

There's no particular reason I'm using CAS over OpenID or OpenAuth(orization). CAS was just the first authentication module I was able to get working in WordPress. I am open to suggestions in terms of using a different authentication library, CMS, framework, etc. Although, my hope is to just get this project finished. So the less re-tooling the better.

Answer

Razor picture Razor · Apr 6, 2012

As you later found yourself as you added in your comments, ajax requests are subject to same origin policy.

Yes, you could use JSONP - however, if you are fortunate enough to have to support only IE8 and upwards, CORS might be a better solution.

Basically, adding headers such as

access-control-allow-origin: http://api.example.com
access-control-allow-credentials: true

to your server answer, you could work around cross origin policy.

Also see this jQuery ticket to make it kinda work with jQuery.

Related questions

How to use FormData for AJAX file upload?

This is my HTML which I'm generating dynamically using drag and drop functionality. <form method="POST" id="contact" name="13" class="form-horizontal wpc_contact" novalidate="novalidate" enctype="multipart/form-data"> <fieldset> <div id="legend" class=""> <…

Read More
How to get the jQuery $.ajax error response text?

I am sending an error response to my jQuery. However, I can not get the response text (in the example below this would be Gone to the beach) The only thing jQuery says is 'error'. See this example for details: …

Read More
how to bypass Access-Control-Allow-Origin?

I'm doing a ajax call to my own server on a platform which they set prevent these ajax calls (but I need it to fetch the data from my server to display retrieved data from my server's database). My ajax …

Read More