浏览器不遵循来自 AJAX 响应的重定向（PHP 生成的响应使用 CAS 身份验证）

Question

Ok, It looks like I made a mistake with my initial question. So, here are some corrections. The answer still applies, because the second redirect is stopped when there is a change in protocol to HTTPS (SSL).

In my case, I have a redirect occurring multiple times, and the browser doesn't follow the second redirect. The first redirect is followed but returns an error.

I keep reading that JavaScript AJAX responses containing redirects are followed automatically, but it look like not in my case. The first redirect is automatically followed by the browser, and the first redirect is returned without following the second redirect in the header. My problem is that I want all the redirects to be automatically followed by the browser.

The redirects are part of the phpCAS library. I have an API written in PHP which checks the user authentication, each time, before returning the results.

Here is the sequence. The main thing to note is that the browser returns the second response, after following 1 redirect. I would prefer it went all the way and returned the last response when I make an AJAX call to localhost/example/api .

localhost/example

• Calls localhost/example/api using jQuery.ajax()

Response 1: localhost/example/api

• Redirects to https://localhost/accounts/cas/login?service=api.example.com&gateway=true (using SSL).

Response 2: (SSL) localhost/accounts/cas/login?service=api.example.com&gateway=true

• When the query key 'gateway' is present, the login simply redirects back to the URL provided by the 'service' key with or without a ticket (to signal to service that the user is either logged in or not).

Response 3: localhost/api?ticket=TICKET

• Verifies the ticket and redirects back to itself without the ticket.

Response 4: localhost/api

• This time the CAS client looks at the $_SESSION to remember what the ticket was, and then processes the API request returning JSONP.

There's no particular reason I'm using CAS over OpenID or OpenAuth(orization). CAS was just the first authentication module I was able to get working in WordPress. I am open to suggestions in terms of using a different authentication library, CMS, framework, etc. Although, my hope is to just get this project finished. So the less re-tooling the better.

Answer 1

As you later found yourself as you added in your comments, ajax requests are subject to same origin policy .

Yes, you could use JSONP - however, if you are fortunate enough to have to support only IE8 and upwards, CORS might be a better solution.

Basically, adding headers such as

access-control-allow-origin: http://api.example.com
access-control-allow-credentials: true

to your server answer, you could work around cross origin policy.

Also see this jQuery ticket to make it kinda work with jQuery.