Question:
Hey! CAS treats the Safari browser specially. Do you just not like Safari users? Got something against Macintosh? Just jealous that you can't have that slick fast web browser on your platform of choice?
Answer:
Not quite.
Safari exhibited what we regard as a severe and unacceptable bug with regard to CAS login. The LoginTicket gymnastics and special treatment of Safari are in response to that bug.
For any sufficiently old enough version of Safari, there can be no redirects at all. Back when we first discovered this bug, we tried out HTTP 30x redirects, <META HTTP-EQUIV="refresh" ...>, and Javascript window.location="...", and found that Safari did not behave in any of those cases. The exact behavior was:
1. user logs into CAS for a service
2. CAS redirects the user to that service
3. when user gets to service, he clicks "Back" in Safari
4. Safari offers to repost form data
5. user clicks yes
6. Safari posts username & password to service
I don't know exactly which version of Safari fixed this bug, but you won't see this behavior in new versions of Safari.
To be safe, you should do exactly what the current CAS distribution does – if it's Safari, display the "Click here to continue" screen. Take a look at our goService.jsp.