OAuth Callback Redirect Issue - Browser Prefetch Conflict

[Justin Isenhour]

NOTE:  This is a duplicate of the post I made to CAS Community Group:

https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/rf-WfL6BXzg

I am currently running CAS 5.3.7 in production and have gotten a few reports from users that if they already have an SSO session and attempt to go to one of our client app URLs directly they end up on our main SSO landing page instead of getting to the client app, all users so far have been using Chrome browser.  After much troubleshooting I have discovered the root of the issue.  It seems that when a user is typing the URL into the address bar that Chrome, in some cases, will execute a Prefetch call to the URL before the user presses enter to load the site.  In this case the prefetch call triggers the OAuth SSO process and while tracing you can see a full set of redirect/interactions, all with header Purpose: Prefetch.  There is a rare timing situation that can occur if the user presses enter to load the client site close enough to the time the browser is executing the prefetch call.  After digging through the CAS 5.3.7 code I see in OAuth20CallbackAuthorizeEndpointController, line 68, callback.perform.  This calls DefaultCallbackLogic class from pac4j, and during method redirectToOriginallyRequestedUrl, the redirect happens.  The originally requested URLs is expected to be stored in the session object and once it is fetched the session value is set to null to clean up the session, if empty then it will redirect to default URL which is /.  In this rare timing situation it seems that the prefetch is happening first and clears the redirect URL from the session after the real request hit the server but before it triggers the callback method.  This means that when the real request executes the callback the session object has already been cleared, resulting in a redirect to default URL (/).

Is anyone else aware of this?  Does anyone have a solution in mind other than overriding the pac4j logic myself to not clean up the session?  

FYI - I know this could be handled by turning off the prefetch setting in the browser but that is a less favorable option as of now because we have a large population of users (30k) that we do not control the browser setting for through our Corporate GPO, these are external clients that we federate with (100+ different client organizations).

Thanks in advance,

Justin Isenhour