Peter Mogensen <[email protected]> writes: > On 2012-09-08 01:15, Russ Allbery wrote:
>> ...it does only work with GET. It should work with GET even from an >> AJAX application, *provided* that the user doesn't need to do an >> interactive login, but of course if the reason why the session is >> expiring is because the user's single sign-on credentials are expiring, >> that doesn't help. In that case, you need the whole browser to >> participate. > Except... new trends in cross-site-scripting protection and privacy > requires you to be the host named in the browser location bar to set a > cookie. Sure, but you are. When you do a GET to a WebAuth-protected site with an expired token, you get a redirect to WebLogin followed by a redirect back to the original site, which re-establishes your cookies and then gives you the resource you asked for. As long as your AJAX follows those redirects, and for a GET there's no reason why it wouldn't, it does indeed work and re-establish the cookie as long as the single sign-on credentials are still good. There's no special trickery involved, just the normal browser cookie handling, and each site only sets cookies for its own scope. -- Russ Allbery <[email protected]> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
