0

It appears as though RSA Cleartrust forces a "302 Moved Permanently" response to unauthenticated, or session-expired, clients. Should one expect Chrome or IE10+ see this as a 301 Moved Permanently, or a 302 Moved Temporarily? I would have thought the latter, but my jQuery 302 handling is being ignored and 301 behaviors are observed instead.

Sample Fiddler inspection of response in client environment:

HTTP/1.1 302 Moved Permanently
Cache-Control: private
Content-Length: 0
Content-Type: text/html
Location: https://client.com/pub/logon.asp
Set-Cookie: ACTEWDSESSION=%20; domain=.client.com; path=/; HttpOnly
Set-Cookie: CTEWDSESSION=AAAAAgABAEBTlSKXkrdcxFyQIFJ7G2bEaIynGWXBmQGql%2BFy9plQ%2F3ofUQI2h3RNZWHdaFA%2BIi2zYuKAsxekzATPRv%2BgjtBl; domain=.client.com; path=/; HttpOnly
Set-Cookie: ACTEWDSESSION=aHR0cDovL2N2bS5pbnNpZGUudXBzLmNvbTo4MC9NVkMvYXBpL3NoaXBtZW50cy9leHBhbmRlZC83MDY4Nw%3D%3D; domain=.client.com; path=/; HttpOnly
SAMEORIGIN: DENY
X-Powered-By: ASP.NET
Access-Control-Allow-Methods: POST, GET, HEAD, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Authorization, Origin, Content-Type, Accept
Date: Mon, 07 Jul 2014 16:03:03 GMT

AJAX wireup:

$.ajax({
                        url: url.replace(/{id}/g, id).replace(/{custId}/g, custId),
                        type: 'GET',
                        statusCode: {
                            301: ajax301_302Handling,
                            302: ajax301_302Handling,
                        }
                    }).done(function (data) {
                        debugger;
                        if (typeof renderDetails == 'function') {
                            oTable.fnOpen(nTr, renderDetails(data, id), 'details');
                        }
                        if (typeof renderDetailsComplete == 'function') {
                            renderDetailsComplete(id, custId, data);
                        }
                    });
andrewbadera
  • 1,372
  • 9
  • 19
  • 1
    can you show your code that is being ignored? – Daniel A. White Jul 09 '14 at 22:43
  • Can you also show us the exact headers of the response you're seeing? – Matt Gibson Jul 09 '14 at 22:45
  • I edited in a Fiddler capture from the client environment. I can't entirely reproduce it locally, which is why I'm trying to reason out expected behaviors before I go through a test cycle on the client side, as well as extensive regression testing in integration. – andrewbadera Jul 09 '14 at 22:55
  • My local mock can do a 301 Moved Permanently, or a 302 Moved Temporarily, but I can't locally mock a 302 Moved Permanently. – andrewbadera Jul 09 '14 at 22:55
  • what about your javascript? – Daniel A. White Jul 09 '14 at 22:57
  • And, I can "kind of" mock a 302 Moved Permanently, as seen in answer response below, but I'm not sure it's legit. – andrewbadera Jul 09 '14 at 23:00
  • 1
    Looks like [302 should be handled transparently by the browser](http://stackoverflow.com/questions/373087/catching-302-found-in-javascript), which I'm guessing is the behaviour you're seeing. I'd say that the browser is transparently redirecting to `Location: https://client.com/pub/logon.asp` and returning the successful response code from that page. And that that's technically what it should do. – Matt Gibson Jul 09 '14 at 23:06
  • 302 I can intercept and respond to with jQuery's AJAX handler. 301 I cannot. This is expected. 302 "Moved Permanently" seems to behave like a 301, wherein I cannot see/intercept the response in the browser/jQuery. – andrewbadera Jul 09 '14 at 23:08
  • Are you sure you can intercept 302 with jQuery's Ajax handler? I can't. I just tried with a perfectly standard 302 and code similar to yours, and it didn't touch the 302 handler; just went straight to the "done" hander after redirection. A look around the web seems to show this as the expected (if not desired) behaviour... For example, [this question](http://stackoverflow.com/questions/199099/how-to-manage-a-redirect-request-after-a-jquery-ajax-call) seems to show that it's expected behaviour, even though plenty don't want it to be... – Matt Gibson Jul 09 '14 at 23:25
  • When I return a 302 Moved Temp with no Location header from ASP.NET MVC Web API, I can intercept it. When I add a Location header, the runtime changes it into a 301 Moved Perm. The target environment is returning "302 Moved Permanently" with a Location header. – andrewbadera Jul 10 '14 at 00:20
  • 1
    Hrm. I'd have thought that every 302 should have a Location header. Otherwise how would you know where the thing had moved to? – Matt Gibson Jul 10 '14 at 06:13

1 Answers1

2

Browser and other clients should only really care about the status code number itself, not the string.

If there is a Location header, XMLHttpRequest will follow that.

Daniel A. White
  • 187,200
  • 47
  • 362
  • 445
  • When I do my best to mock this locally, I use: var response = HttpContext.Current.Response; response.Clear(); response.Status = "302 Moved Permanently"; response.AddHeader("Location", "http://localhost/dummysite"); response.End(); response.Flush(); And with this, it acts like it does with a 301, and not a 302, in Chrome. With a 302 jQuery intercepts. With a 301, jQuery can't see it. – andrewbadera Jul 09 '14 at 22:56