Shib with REST and AJAX Best Practices

Russell J Yount rjy at
Tue Sep 13 13:16:47 BST 2011

We have some developers here using REST and AJAX together with Shibboleth. The problem of the Javascript not understanding the 302 redirects that shibboleth uses when re-authenticating has come up.

The groups solution has been to:

1) Change the sessions statement to look something like this:

<Sessions lifetime="28800" timeout="86400" checkAddress="false" relayState="ss:mem" handlerSSL="true">

The key here is setting the lifetime value lower than the timeout value.

2) Add the following directives to the httpd.conf file (they added them globally, but there is no reason it couldn't be done at a directory level I suppose):

       Header unset ETag

       Header set Cache-Control "max-age=0, must-revalidate"

       Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"

This seems to work for them. Is there a better way to handle this?

One possible alternative I have suggested would be to have the application manage its own session (using on authentication page protected by Shibboleth).

What is the best practice for this?


Russell J. Yount rjy at<mailto:rjy at>
Identity Services, Carnegie Mellon University
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list