I believe this ultimately will fix the issue we are seeing with approvers (knock on wood). We were not applying any judgement to the "return_to" urls we were storing for session change/login between user types. This allowed for urls like '/approver.json' to be stored. I actually adapted some code from Scholarsphere to add some discretion to what we store. I still do not know exactly why a .json request was being used to login. Perhaps when azure resets a session it just takes the last request? If a user left their browser open to our approvers page for a while, then went to reload, this might've been triggered and the .json request was used?
I believe this ultimately will fix the issue we are seeing with approvers (knock on wood). We were not applying any judgement to the "return_to" urls we were storing for session change/login between user types. This allowed for urls like '/approver.json' to be stored. I actually adapted some code from Scholarsphere to add some discretion to what we store. I still do not know exactly why a .json request was being used to login. Perhaps when azure resets a session it just takes the last request? If a user left their browser open to our approvers page for a while, then went to reload, this might've been triggered and the .json request was used?