Shib with REST and AJAX Best Practices

[Jim Fox]

> 
> One possible alternative I have suggested would be to have the application manage its own session (using on authentication page protected by
> Shibboleth).
>

We handle this situation by having the application manage its
own sessions.  If an expired session is encountered on a normal
browser request the user is redirected via shib to reauthenticate.
If an expired session cookie is encountered during an ajax request we
send an error response with content that indicates reauthentication
is needed.  On those errors a popup informs the user of a need to
refresh the page to reauthenticate.

Jim