Frames Anomalies

Cantor, Scott cantor.2 at osu.edu
Tue Feb 5 17:36:37 EST 2013 

> My application occupies a browser window with multiple frames.  I submit a
> form from one of the frames and expect the returned output to occupy the
> same frame.  My session has timed out, and the re-authentication login page
> occupies the entire browser window.

That would not be typical, but if it did happen, that would be a consequence of your application and configuration, not Shibboleth. The IdP will not generally work in a frame, so it isn't clear what your goal is, but if the whole window replaces, then the request to the server was *not* just within the frame, but for the frameset. That in turn was apparently protected, and required a new login, and so the whole window changed.

> Questions:
> (1) Is there a mechanism (option) to retain the original frames and content
> following re-authentication?

Not unless your application has the ability to preserve its own state in such a manner as to cause that result. Shibboleth has nothing to say about it. In general I would say that's pretty unlikely but with client side storage these days, it could be done.
 
> (2) Where might one expect the authentication login page to open?  in a
> window/frame indicated by the last/current application request, in a window
> indicated by some shibboleth configuration file, or some other determinant?

Shibboleth has absolutely nothing to do with it. You decide what to protect and your application decides what URLs to access, when, and in what frames. So it's all you. The rest is mechanical. Trace the requests and you'll see what it's doing.

> (3) Can the re-authentication login page be directed to open in a new
> browser window, thus preserving the frames in the original window?

Not in general, but by the time any such control could be applied, your application has caused the browser to access a URL on behalf of the whole window that is protected, and thus it's too late to do anything.

> (4) Is the original HTML attribute "target" passed (retained) through the
> entire re-authentication process?

That is a  client-side attribute, it has no effect on the web requests the server sees. There's nothing to preserve. The browser has decided in what frame to perform requests, it's not up to the server and is not reflected in any URLs.

-- Scott

More information about the users mailing list