Portal should not return HTML for AJAX requests
When a 302 code is returned to a $.ajax() requests, it follows the redirection and has to catch a strange error (bad JSON datas for example). Logically we should return a 401 code for expired sessions but the HTTP standards provides only limited "Authenticate:" schemes. I think we could extend the standard for AJAX requests has follow:
- Return a 401 cde when session isn't valid
- Insert our scheme in Authenticate: header, for example "Authenticate to http://..."
- Insert also JSON datas (or XML if wanted) containing error=>"Authenticate to ..." So that, web page can build a popup (or iframe) to get authentication and then replay its AJAX query.
It's not standard, but can be a good solution for modern applications and could solve OBM problem.
NB : return HTML when Accept header is set to application/json can be considered as a bug