Safari

Owned by Andrew Petro
Last updated: Jan 31, 2007 by ScottSVersion comment
1 min read

Question:

Hey! CAS treats the Safari browser specially. Do you just not like Safari users? Got something against Macintosh? Just jealous that you can't have that slick fast web browser on your platform of choice?

Answer:

Not quite.

Safari exhibited what we regard as a severe and unacceptable bug with regard to CAS login. The special treatment of Safari is in response to that bug.

The bug

For any sufficiently old enough version of Safari, there can be no redirects at all. Back when we first discovered this bug, we tried out HTTP 30x redirects, <META HTTP-EQUIV="refresh" ...>, and Javascript window.location="...", and found that Safari did not behave in any of those cases. The exact behavior was:

1. user logs into CAS for a service
2. CAS redirects the user to that service
3. when user gets to service, he clicks "Back" in Safari
4. Safari offers to repost form data
5. user clicks yes
6. Safari posts username & password to service

I don't know exactly which version of Safari fixed this bug, but you won't see this behavior in new versions of Safari.

The special treatment

CAS 2.0.12 does not redirect from CAS to the Service with a ticket. It instead paints a screen on which users must manually click a link to head along to the service with the ticket.

To be safe, you should do exactly what the current CAS distribution does – if it's Safari, display the "Click here to continue" screen. Take a look at our goService.jsp.