aspose file tools*
The moose likes HTML, CSS and JavaScript and the fly likes How to handle expired sessions versus AJAX Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » HTML, CSS and JavaScript
Bookmark "How to handle expired sessions versus AJAX" Watch "How to handle expired sessions versus AJAX" New topic
Author

How to handle expired sessions versus AJAX

Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18911
    
    8

I recently modified some of our web applications to use AJAX. Basically a request gets sent to the server, and the response gets put into a div by assigning it to the div's innerHTML. Works very nicely.

But another feature of our applications is that if you don't do anything for some time, your session gets discarded and the next time you send a request, it gets redirected to the login page.

Combining these two features, what happens is that the login page occasionally shows up in a little box inside an application page.

What I would like to happen, of course, is for the AJAX code to realize that it's the login page it's getting back and to handle it differently. I can't see how to do that without some kind of hackery. The server can't tell what's an AJAX request and what isn't, and I don't really want it to know that anyway. I thought of having the server send out the login page with a different response code instead of 200, but none of the alternatives looks any good to me.

And the book I have on my desk doesn't mention this issue. Anybody have any suggestions what I could try?
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61662
    
  67

In our financial web app we return a "custom" code of 555 to indicate that security timeout has expired (we don't rely upon the session timeout for this). A wrapper around the Ajax call that is used throughout the app recognizes this return code and triggers the re-authentication.


[Asking smart questions] [Bear's FrontMan] [About Bear] [Books by Bear]
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18911
    
    8

I hadn't thought of using an invalid response code. I'll give that a try next week when I have some time. Thanks.
Bear Bibeault
Author and ninkuma
Marshal

Joined: Jan 10, 2002
Posts: 61662
    
  67

I'm not sure I'd call it invalid as much as "user-defined". There may be purists who would be up in arms, but it seems to work well for our purposes.

One of the key benefits (I think) to our approach is that the session rarely times out (it's set to like 24 hours or so) so all state is retained after the user re-authenticates. We just keep track of the security timeout in the session and use a filter to determine if the user has been idle for 15 minutes (time limit set by industry security audit standards). Even if the user times out when submitting a complicated form, we can just resubmit it after the authentication and except for the re-login, the user has no disruption in their workflow.
[ February 22, 2008: Message edited by: Bear Bibeault ]
saivenu madhav
Greenhorn

Joined: Nov 15, 2007
Posts: 29
Hi Paul,

Have you find out the solution..?The same thing in our application is needed

Could you please let me know if there are any answers


Thanks&Regards
Madhav
saivenu madhav
Greenhorn

Joined: Nov 15, 2007
Posts: 29
Hi Bear Bibeault

How you are handling idle time out in filter.?

Could you help in this regard

ThanksInAdvance
Madhav
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to handle expired sessions versus AJAX