• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

AJAX created dropdowns and Session timeout

 
Ranch Hand
Posts: 178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

We have a JSP page. In that JSP page there are a lot of dynamic dropdowns. Dynamic meaning when a value is selected in dropdown1, it dictates the values that will be listed in dropdown2 and so on. These are done through Ajax

The problem is when session timeout happens. The ajax calls pass through a controller class back end to query the dropdown values. In our codes there is also a filter class which checks the session before forwarding to call to the chosen controller action. Since the filter class will be able to detect the invalid session, the ajax call would not forward to the controller class its suppose to call. If that happens all dropdowns will show a blank value. This will be confusing to the user.

Is there any way to better handle this?
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Don't pass those requests through the filter.
 
Bartender
Posts: 1845
10
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well even if those requests don't pass through the filter, you are just delaying the inevitable.
When the users comes to an interaction that DOES require a session (such as save) what happens then?

How do you deal with a session timeout in the general case?
- alert the user, and close the app?
- ask them to log in again (retaining current context or not?)



 
Andres Delrotti
Ranch Hand
Posts: 178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:Don't pass those requests through the filter.



Seems that would cause a hole in the security?
 
Andres Delrotti
Ranch Hand
Posts: 178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stefan Evans wrote:

How do you deal with a session timeout in the general case?
- alert the user, and close the app?
- ask them to log in again (retaining current context or not?)





We are planning this solution. Catch a mouse click anywhere in the page, then check if the clicked element is any of the dropdown, if it is...trigger an ajax call in the back end to check the session. If the session is invalidated, return something like "window.location = loginPage.do" in the page.

Would that work? is that ok?
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That sounds like a horribly overcomplicated and error-prone approach.

First of all, why do the drop down requests need to be validated at all? Unless there is sensitive data being returned to use as drop down values, why bother?

Andres Delrotti wrote:Seems that would cause a hole in the security?



If the dropdowns do contain sensitive data that needs protecting, making additional calls makes no sense. Simply return a response status code that indicates a security timeout from the Ajax requests that return the options data.
 
Andres Delrotti
Ranch Hand
Posts: 178
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:

If the dropdowns do contain sensitive data that needs protecting, making additional calls makes no sense. Simply return a response status code that indicates a security timeout from the Ajax requests that return the options data.



So you mean, if that happens, the dropdowns should return a single option containing a text like "invalid session" or "no data- session timeout"?

I'm inclined to do your recommendation but wouldn't that confuse the user more? rather than forward him/her to the login page upon onChange of the dropdown?
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Andres Delrotti wrote:So you mean, if that happens, the dropdowns should return a single option containing a text like "invalid session" or "no data- session timeout"?


No, it should return an HTTP status code for the response that indicates the error. I use 555 (anything over 500 is a server error).

I'm inclined to do your recommendation but wouldn't that confuse the user more? rather than forward him/her to the login page upon onChange of the dropdown?


No, because I never said anything about showing that to the user rather than using the status code to allow your code to take appropriate action.
 
Bartender
Posts: 2911
150
Google Web Toolkit Eclipse IDE Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Bear Bibeault wrote:No, it should return an HTTP status code for the response that indicates the error. I use 555 (anything over 500 is a server error).


I suggest using standard one like : HttpServletResponse.SC_FORBIDDEN for such requests.
Javadocs state :

Status code (403) indicating the server understood the request but refused to fulfill it.


 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A 403 indicates a permissions rather than authentication failure. Also, browsers may have builtin actions (that are not wanted) for codes under 500. So I use a custom value greater than 500. YMMV.

 
reply
    Bookmark Topic Watch Topic
  • New Topic