I recently modified some of our web applications to use AJAX. Basically a request gets sent to the server, and the response gets put into a div by assigning it to the div's innerHTML. Works very nicely.
But another feature of our applications is that if you don't do anything for some time, your session gets discarded and the next time you send a request, it gets redirected to the login page.
Combining these two features, what happens is that the login page occasionally shows up in a little box inside an application page.
What I would like to happen, of course, is for the AJAX code to realize that it's the login page it's getting back and to handle it differently. I can't see how to do that without some kind of hackery. The server can't tell what's an AJAX request and what isn't, and I don't really want it to know that anyway. I thought of having the server send out the login page with a different response code instead of 200, but none of the alternatives looks any good to me.
And the book I have on my desk doesn't mention this issue. Anybody have any suggestions what I could try?
In our financial web app we return a "custom" code of 555 to indicate that security timeout has expired (we don't rely upon the session timeout for this). A wrapper around the Ajax call that is used throughout the app recognizes this return code and triggers the re-authentication.
I'm not sure I'd call it invalid as much as "user-defined". There may be purists who would be up in arms, but it seems to work well for our purposes.
One of the key benefits (I think) to our approach is that the session rarely times out (it's set to like 24 hours or so) so all state is retained after the user re-authenticates. We just keep track of the security timeout in the session and use a filter to determine if the user has been idle for 15 minutes (time limit set by industry security audit standards). Even if the user times out when submitting a complicated form, we can just resubmit it after the authentication and except for the re-login, the user has no disruption in their workflow. [ February 22, 2008: Message edited by: Bear Bibeault ]