Rejecting unauthenticated requests from apache2

Jeremy Shapiro jnshapiro at
Wed May 13 17:04:22 EDT 2015

I have an application, which I don't have much development control over,
protected by an apache2 proxy running mod_shib.  The application is making
ajax calls.  When the user's session expires, the ajax calls return 302
status (to the idp server) which are either ignored or cause other weird
behavior depending on the browser, even with CORS configured correctly.
  I'd like to have apache2 reject these ajax calls when they do not have a
valid session, rather than using lazy sessions and relying on the
application.   Is there some sample apache config that would do this?  I
would prefer to have apache return an error code when there's no valid
session for a particular location match, rather than trying to rewrite any
302 to a 401.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list