Change that user-agent string to something valid instead of myagent.

When I hit facebook with that script I get a Location header item as expected.

Regarding autocheck=>1, from WWW::Mechanize manpage:

Checks each request made to see if it was successful. This saves you t
+he trouble of manually checking yourself. Any errors found are errors
+, not warnings.
[download]

Setting max_redirect=0 is good for making sure things work and gives you all control. But there is an easier way to do it:

$m->max_redirect(3); # whatever redirects you may thing you will get o
+r more
my $content = $m->post($uri);

my $ri=0;
foreach my $aredirect ($content->redirects()){
        $ri++;
        print "REDIRECT $ri ******\n".($aredirect->as_string())."\nEND
+ ****\n\n";  
}
[download]

That is, you loop through the headers of each of the redirects encountered to get what you need and at the same time you are at your final URL to hit login.

bw, bliako

I've inserted your code into my script.

But the response is exactly the same as the one I've posted before.

If I try against facebook, like you did, I get all the redirect headers.

Must be something about the site itself, unfortunately there is no one to ask.

Thank's very much, though!

For the sake of closing this thread, I have solved this.

In the end it was not overly complex but there was just more to it than initially known.

tl;dr: the trick was not to follow the redirect after receiving the ticket (this invalidated the ticket already).

Thanks for your help bliako.

#!/usr/bin/env perl
###Modules
use WWW::Mechanize;
use HTTP::Cookies;
use HTTP::CookieJar::LWP ();
use IO::Socket::SSL qw();
use Data::Dumper;
use JSON;

###Variables & Declarations
my $creds = "$ENV{'HOME'}/.credentials";
my $uri ="https://xxx.employer.xxx/app/login?service=https://xxx.emplo
+yer.xxx/app/service";
my $cookie_jar = HTTP::Cookies->new(); 

my ($username,$password) = get_credentials($creds);

my $fields = {
    username    => $username,
    password => $password,
};
my $m = WWW::Mechanize->new( cookie_jar => $cookie_jar, autocheck => 0
+, ssl_opts => { SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, 
+verify_hostname => 0 }, env_proxy => 1, keep_alive => 1, timeout => 1
+20, agent => 'Windows IE 6' );
$m->max_redirect(0);

############## Log in and get Ticket ##################

my $content = $m->post($uri);

$m->submit_form(
    form_number => 1,
    fields      => $fields,
    button      => 'submit'
);

my $location = $m->response()->header('Location');
my $ticket_id = (split /ticket=/, $location)[1];
############## /Log in and get Ticket ##################

############## Create Session and get authorization id ###############
+###

$m->add_header('Content-Type' => 'text/plain');
$m->add_header('Accept' => ['text/plain', 'application/json']);
#$m->delete_header('Referer');

my $session_url = "https://xxx.employer.xxx:<port>/session";

my $contentp = $m->post($session_url, 'Content' => "$ticket_id");
my $resp = $contentp->decoded_content()."\n\n";
my $decoded_json = decode_json( $resp );
my $id = $decoded_json->{id};

############## /create session and get authorization id###############
+###

############## do authorized stuff #########################
$m->add_header('Authorization' => $id);
$m->post("whatever");

from here on I'm doing stuff inside the session...
[download]