Thanks again Russ, Only one comment:
On 2012-09-08 01:15, Russ Allbery wrote:
...it does only work with GET. It should work with GET even from an AJAX application, *provided* that the user doesn't need to do an interactive login, but of course if the reason why the session is expiring is because the user's single sign-on credentials are expiring, that doesn't help. In that case, you need the whole browser to participate.
Except... new trends in cross-site-scripting protection and privacy requires you to be the host named in the browser location bar to set a cookie.
I seem to recall that the Microsoft implementation uses the signed PAC information for that purpose? I don't know if it puts the same signed PAC information into S4U2self tickets in the same way.
Don't know... I'm in a Windows free environment. My impression is that S4U2self is mostly to get the PAC data when you only have simple authentication and not really about authentication as such.
/Peter
