3

I have a problem that when a user times out on my site they are still logged in. So they can still do an ajax request. If they do an ajax request on my site my asp.net mvc authorization tag will stop this.

The authorization normally then redirects the user back to the signin page if they fail authorization.

Now since this is an ajax request what seems to be happening is it send the entire page back rendered as html. So the user never gets redirect since I just got the entire page send to me as html.

However firebug says this in the console:

http://localhost:3668/Account/signIn?ReturnUrl="return" ( this is not in the actual url bar in the web browser so I can't go up there and get it. I only can seem to see it through firebug.)

So I am not sure but maybe if I could somehow grab this url from inside my errorCallback area that would be great.

Since from my testing no error code is sent back(200 OK is sent). Instead I just get parsing error(hence why errorCallback is called) but I can't assume that every time I get parsing error it means the user timed out.

I need something better. The only other option is too look at the response and look for key works and see if it is the signin page what I don't think is that great of away to do it.

Improve this question

4 Answers 4

Reset to default
2

You probably want to do one of two things:

  • Write your server code such that ajax requests return an ajax error when a session is expired. That way the javascript will expect a return code that indicates a session timeout, and you can tell the user the session expired.
  • If an elegant solution isn't forthcoming because of how your framework handles this stuff, just put a chunk of HTML comment in your login page like Uth7mee3 or something; then check for the existence of that string in your ajax code.

Alternative, you can also set a timer on the web page that figures out when the session is about to time out and warn the user with a little message that lets them renew their session. Once it times out, blank out the page and give them a link to login again.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

How about having a script in the Loginpage

if(document.location.href != "/Account/Login")
{
document.location.href = "/Account/Login"
}

This would work if you try to render partials in an ajax request. (Not if you expect json)

Improve this answer

Comments

0

What is the status code of the response in this situation? I think you should be able to check for a 302 here. If not, the Location header would be the next best way to check for the sign-in page.

Improve this answer

10 Comments

This is what comes into my ErrorCallBack XMLHttpRequest readyState=4 status=200
I think I seen firebug show a 302 message before but none of my jquery/javascript code spots any 302 messages back.
Use the getResponseHeader() function of XHR to get the "Location" header.
There is also a getAllResponseHeaders() function available (FYI)
I see also 302 in firebug but my errorCall back never receives anything about 302.
|
0

This isn't an answer to your specific question, but the way I deal with this is to have a some client-side code that understands about the session length and prompts the user to renew a session just prior to it being ready to expire if they haven't moved off the page. If the user doesn't respond to the prompt in time, it invokes the logout action of the site -- taking the user to the login page.

You can find more information on the exact implementation, including some code, on my blog: http://farm-fresh-code.blogspot.com.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.