• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to handle expired sessions versus AJAX

 
Paul Clapham
Sheriff
Pie
Posts: 20206
26
MySQL Database
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I recently modified some of our web applications to use AJAX. Basically a request gets sent to the server, and the response gets put into a div by assigning it to the div's innerHTML. Works very nicely.

But another feature of our applications is that if you don't do anything for some time, your session gets discarded and the next time you send a request, it gets redirected to the login page.

Combining these two features, what happens is that the login page occasionally shows up in a little box inside an application page.

What I would like to happen, of course, is for the AJAX code to realize that it's the login page it's getting back and to handle it differently. I can't see how to do that without some kind of hackery. The server can't tell what's an AJAX request and what isn't, and I don't really want it to know that anyway. I thought of having the server send out the login page with a different response code instead of 200, but none of the alternatives looks any good to me.

And the book I have on my desk doesn't mention this issue. Anybody have any suggestions what I could try?
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64205
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In our financial web app we return a "custom" code of 555 to indicate that security timeout has expired (we don't rely upon the session timeout for this). A wrapper around the Ajax call that is used throughout the app recognizes this return code and triggers the re-authentication.
 
Paul Clapham
Sheriff
Pie
Posts: 20206
26
MySQL Database
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I hadn't thought of using an invalid response code. I'll give that a try next week when I have some time. Thanks.
 
Bear Bibeault
Author and ninkuma
Marshal
Pie
Posts: 64205
83
IntelliJ IDE Java jQuery Mac Mac OS X
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm not sure I'd call it invalid as much as "user-defined". There may be purists who would be up in arms, but it seems to work well for our purposes.

One of the key benefits (I think) to our approach is that the session rarely times out (it's set to like 24 hours or so) so all state is retained after the user re-authenticates. We just keep track of the security timeout in the session and use a filter to determine if the user has been idle for 15 minutes (time limit set by industry security audit standards). Even if the user times out when submitting a complicated form, we can just resubmit it after the authentication and except for the re-login, the user has no disruption in their workflow.
[ February 22, 2008: Message edited by: Bear Bibeault ]
 
saivenu madhav
Greenhorn
Posts: 29
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Paul,

Have you find out the solution..?The same thing in our application is needed

Could you please let me know if there are any answers


Thanks&Regards
Madhav
 
saivenu madhav
Greenhorn
Posts: 29
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Bear Bibeault

How you are handling idle time out in filter.?

Could you help in this regard

ThanksInAdvance
Madhav
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic