2

I have a jquery calendar widget that do query several event sources on the server and these sources all returns the same JSON format responses.

What is really annoying is that when the user cookie expires these sources all redirect the user to the login page returning HTML content.

I have looked at the request with fiddler and I can see two request done: first one is a request from the jquery calendar object to update the events with http status 302 and immediately after a request to the login page with http status 200.

GET /xyz/Adempimenti/GetEvents?_=1289170335910&start=1288566000&end=1291590000 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Location: /xyz/Login/LogOn?ReturnUrl=%2fxyz%2fAdempimenti%2fGetEvents%3f_%3d1289170335910%26start%3d1288566000%26end%3d1291590000&_=1289170335910&start=1288566000&end=1291590000

My site is deeply based on ajax calls and this one of the calendar is just an example to explain the problem i am facing to. I would like to avoid to handle the error on every ajax call and do a redirect. The optimal way would be to find a way to automatically disconnect the user when his session cookie expires. I have seen this implemented in some web email system that automatically create a dialog saying that the session has expired.

Any help on this direction?

Lorenzo
  • 29,081
  • 49
  • 125
  • 222

2 Answers2

4

When jQuery does an AJAX request, it sends the HTTP_X_REQUESTED_WITH header.

Have you considered checking for that header on server side? If the session has timed out, instead of redirecting to the login page, you could return a JSON structure containing the "please log in" error message.

That would be the cleanest method in my eyes.

Another idea would be to make an additional Ajax request before doing the "real" one. If the first request fails or gets a text/html content type back, you know you are no longer logged in. Not very elegant but easier than trying to count the session duration on client side (which is bound to be unreliable).

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • @Pekka: dont like your second method! :) But the first seems to be interesting. I could write a custom action filter and place it inside my base controller right? Have you got any code sample to start? – Lorenzo Nov 07 '10 at 23:56
  • @Lorenzo sorry, I'm a PHP man, I have no experience in ASP so I can't help with the implementation. It was the jQuery tag that lured me here :) – Pekka Nov 07 '10 at 23:58
  • @Pekka: Ok. Thank you very much for your suggestion. I will try to implement it. – Lorenzo Nov 08 '10 at 00:01
  • @Pekka: Is it clear to me how to handle the check on the server side and how to send back properly JSON. Should I still handle the error on every ajax call or do I have a cleaner way to catch this? – Lorenzo Nov 08 '10 at 00:40
  • @Lorenzo I think you'll have to handle the error on every call, or stop making Ajax calls once you encounter an error. Is it an option to redirect the user to the login page, or to display a login dialog? – Pekka Nov 08 '10 at 09:24
  • Yes. That is exactly wath I want to do, redirect the user to the login page :) – Lorenzo Nov 08 '10 at 12:47
1

I believe you're dealing with a session, whose timeout information is stored server-side (the client doesn't necessarily know when his session will no longer be valid). Get that information and send it to the client with the request. The a simple setTimeout(notifySessionExpiration, sessTimeout * 1000) will do the trick.

To answer peripheral questions:

$ajax = isset($_SERVER['HTTP_X_REQUESTED_WITH']) && 
($_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest')

Will set $ajax to true if you're dealing with an XML request, assuming the browser sends compliant headers (which it tends to do these days).

You will probably want to isolate the part of your code that sends the 302 (perhaps an application-wide controller that handles fetching the user's personal information based on the session) and put together an exception if $ajax is true. You'd probably want to send back a 401 or 403 and then have your Javascript callback respond to that status in a particular way (e.g., redirecting to login page or providing an popup Ajax login overlay).

If this is just a toy site and you're willing to get your hands dirty to create a more robust solution, I can make the following recommendations.

  • Don't use a semantically misleading XHR detector: in my opinion, delivering different content to different requesters is perfectly reasonable if it's the same-ish content with specific adaptations for the requester (e.g., browser quirks). But when a particular requester has a fundamentally different functional role (e.g., when an XHR gets sent in expecting a JSON/XML response vs. when a browser sends in a normal HTTP request for HTML), then the request shouldn't be for the same asset. The best practice, in my opinion, is to produce HTML for .html or extension-less paths, for instance GET /mypage.html or GET /mypage, whereas XHR-tailored content should be of the GET /mypage.json or GET /mypage.xml nature. This is not to say that XHR should never get an HTML response. Sometimes, it's perfectly appropriate, like when you're loading an HTML snippet for a login form or if you're just using AJAX for page transitions.
  • Implement a system to keep your session alive: if you must have your session expire by time alone rather than just lasting until the browser is closed, then put in a client-side call to refresh the session with a simple AJAX request before it expires (if the page is closed, the request isn't fired, allowing the session to expire when the allotted time passes).
Steven
  • 17,796
  • 13
  • 66
  • 118
  • 1
    re the first paragraph: IMO the client-side timeout is not reliable enough - imagine a user having two tabs open, and keeping the session alive in one tab. This needs a server-side solution I think, i.e. dealing with the timeout in a manner that works for the client. However note that he's on ASP on the server side. Interesting points about the XHR detector – Pekka Nov 08 '10 at 00:24
  • I can not use the setTimeout sample neither I can pursue the way to keep the session alive. The problem to check whether the user is still connected or not, you're right, is related to server session and should be handled in an application wide controller. But the real problem is on the client side where I would like to avoid checking errors and redirect on every ajax call – Lorenzo Nov 08 '10 at 00:38
  • @Pekka, I dislike the solution too, as I am irked by the relatively antiquated applications that rely on it. @Lorenzo, I'm not sure what you're asking for here. The two, not necessarily mutually exclusive, approaches are (1) to have the client pre-empt session expiration by giving them some indication of when the session is about to expire and (2) to have the server more gracefully handle XHR requests rather than just dish out 302's, which are handled transparently to Javascript. Assuming you want sessions to expire, those are your options. – Steven Nov 08 '10 at 00:46
  • I am sorry, my english is far to be perfect and so I maybe did not explain it as good as I would. I have now implemented the server handling checking for the presence of the `HTTP_X_REQUESTED_WITH` header. In the case the user session has expired I am sending a simple JSON structure back to the client. My question now is: do I have to handle this structure on every ajax call that I make or there is a better way to centralize it? Thanks for your help – Lorenzo Nov 08 '10 at 01:06
  • @Lorenzo, you'd do it the same way you "centralize" most things in programming. Generalize your AJAX function calls into a central handler or several layers of handlers and then put the filter for the response code in the applicable handlers. If `XMLHttpRequest.send()` appears more than a couple times in your code, you may be "doing it wrong". – Steven Nov 08 '10 at 01:32