Announcement Announcement Module
Collapse
No announcement yet.
How to handle Ajax session timeouts in Acegi Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to handle Ajax session timeouts in Acegi

    Just wondering what would be the right approach to handle session timeouts during AJAX when the web application is protected by Acegi?

    The web application is configured to use a typical setup, if the session is expired, the user will be redirected to the login page.

    But this creates a problem if the AJAX call is made after the sesion is expired. The client code that made the AJAX request will get the login page as a result of the call and doesnt even know that it received wrong data.

    The problem happens when the Acegi filter chain consumes the 403 (forbidden) status codes and return a redirect (301, 302) to the client. The XmlHttpRequest then will follow the redirect URL and eventually the client code will get a HTTP status code of 200.

    One possible solution is to have a custom Acegi interceptor which, after identifying that it is an AJAX request can send a 403 code back to the client. The client in turn will identify this situation and do appropriate actions.

    There are a few different ways to check if a request is indeed an AJAX request, simplest being to pass an extra parameter to the request.

    Anyone experienced this problem? Any suggestions?

    thanks,
    -- suresh --

  • #2
    I am faced with the exact same situation. I would like the AJAX application running in the browser on one particular page to detect a session timeout error thrown from ACEGI and redirect to the standard login page. Have you been able to resolve your problem?

    Thanks,
    Anthony

    Comment


    • #3
      I had the same situation and I handle it by looking at the response text returned from the Ajax request. If it contains a certain flag (in my case "id=loginForm") I know the session timed out because the response contains the login page. I can then take the appropriate action necessary on the client. In the case of a DWR call, I check if there is any response text at all (in which case it is probably due to session timeout - there is some info on the DWR site about this) and if so can take the necessary action. Seems to be a bit of a kludge but it works for now.
      Last edited by kshronts; Jan 18th, 2008, 09:02 AM.

      Comment

      Working...
      X