PDA

View Full Version : Verify if user is still logged in?



seldon
30 Dec 2006, 4:34 AM
Hi,

I'm wondering what the best way is to verify if a user is still logged in when doing ajax calls (updates of elements, and other asynchr. calls). I would like to have the following behaviour. As soon as it is noticed that a user is no longer logged in, my webapp should popup the login dialog. I'm just not sure what the best point is to check for 'still_logged_in', and whether to store the logged in state or user/pass in a cookie on the client side, or do all the checking on the server side.

Any help is much appreciated!

Thanks,

Seldon

JeffHowden
30 Dec 2006, 5:21 AM
For security reaons you absolutely must do the storage and checking of whether or not they're logged in server-side. However, in order to handle the scenario you're describing, I'd recommend a function that all your AJAX callbacks call when onFailure. This single function can check for a particular type of error message which your app will return if the user is not logged in. If it detects that type of error message being returned, it simply does some cleanup and shows the user the login dialog. Otherwise it can be setup to do some logging, reporting, or whatever of that error message to help with development, troubleshooting, etc.

seldon
5 Jan 2007, 7:52 AM
Hmm, but how to check 'onFailure' ? Should i add a callback for each update call and check if say the response was empty and interpret that as a failure? Some more advise is appreciated!

Thanks!

seldon
23 Feb 2007, 4:02 PM
Hi,

I have still not yet solved this problem. I am now thinking of perhaps intercepting every yahoo.connect.asyncrequest call and do a asyncrequest call to see if the user is still logged in. But this means for each ajax call, two calls will be made to the server. Another way, would be to somehow initiate the failure callback in case the user is no longer logged in, but im not sure how to do that.

Of course one could also modify all the callbacks into some json format like {loggedin: true, response: ..}, but this means modifying all callbacks and adding a logincheck function everywhere. Moreover updatemanager update calls would no longer work.

Other people must have also encountered this problem, please how do you/ did you solve this?

Thanks,

Seldon

Bobafart
23 Feb 2007, 4:22 PM
I believe this problem is easily solved by using SESSIONS if you are using PHP as your server side language -- Javascript won't help you here

http://www.php.net

BernardChhun
23 Feb 2007, 7:13 PM
yup that sounds like sessions or time outs seldon.
I guess using Javascript or server-side coding to check that out depends on the security level that you feel is appropriate for your type of web app.

Is it a Bank account connection? or something like a RSS reader?

As for the Web app I'm personnally working on, we copied a bit of how Netvibes.com works.
They have 2 cookies containing encoded user IDs. the first cookie is for a user that hasn't registered yet. The second one is for the registered user that logged on.

Depending on that simple fact (being logged on or not), they use the appropriate cookie to update the user state(adding, deleting rss feeds or widgets...) on their server.

Once the user registers, it associates the unconnected cookie value to the username & the password. It then associate that value to the connected cookie and works with it until the user disconnects.
So basically, they don't care whether the user is still connected or not. They will use the appropriate cookie value depending on the logged on status.

what's your desired security level? :)

trbs
23 Feb 2007, 9:22 PM
selson:

authentication and such should be done server side.

your client side javascript could deal with that using:
- onFailure / overriding; for handling server side not_logged_in_anymore errors
- poller; for the timeout with a call to the server every once in a while (eg: if your doing web2 style app and u want the user to be automaticly logged out after a while)

onFailure: your server side response could return some extra response header or http_response_code to let javascript know the log_in has expired.
poller: some code to check log_in_status in some interval, and does something if the server response is not_logged_in (eg: display the login_in dialog)

i think (never done it) this could be done quite easily with javascript prototype overriding... you could override the asyncrequest reponse code and check for some request_response_header you added to the response in your server side code. this way every call is just done once, the server side should check every request on it's logged_in status, when the user is not logged_in the server adds a header to the response indicating to your client side code the user is logged out.

in most cases using some baseClass for your async_handlers which has onFailure() overriden to execute the cleanup and login_dialog code if the server says not_logged_in should seem to be enough.

as long as u have free control over the response_headers it looks to me that adding an extra header to indicated logged_in_or_out from the server side would be the appropriate thing to do. :D you could override the default request/response code on your server side to directly respond with an logged_out response, without even ever start processing the rest of the request.

seldon
24 Feb 2007, 2:08 AM
bobafart:
i know, my problem is how to inform the user nicely that his session has timed out.

bernardchun:
hmm, if i understand it correctly in your code you dont care if the session expires? But then the app doesnt work anymore and the user doesnt know what to do/what causes it! Or wait, you let the session never expire, thats of course an option too. But i think i do want an expiring session.

trbs:
yeps that sounds like a good solution, adding something to the response header, but im not yet sure how to do that. Then indeed i must override the onfailure/success delegation function. Then at least it works for all async request calls. Im not sure if this also goes ok with updatemanager updates. Ill look into following this route, thnx! Oh, if anyone has already done this, please spare me the time ;)

Oh, then to jack: perhaps you can build in this overriding in Ext, such that it allow for easy loginchecks?

Thanks,

Seldon

seldon
24 Feb 2007, 2:44 AM
Ok, i decided to add some line to the header if the session has timed out: "logged-out:true". Now i must check for this somewhere in the javascript. Via the response object i can check it using:


if (o.getAllResponseHeaders.lastIndexOf('logged-out:true') != -1) {..}
else

However, is there a way to intercept the success callback and do this check without having to modify every callback in my code?

I hope anyone can help out,

Thanks,

Seldon!

BernardChhun
24 Feb 2007, 4:51 AM
Ok, i decided to add some line to the header if the session has timed out: "logged-out:true". Now i must check for this somewhere in the javascript. Via the response object i can check it using:


if (o.getAllResponseHeaders.lastIndexOf('logged-out:true') != -1) {..}
else

However, is there a way to intercept the success callback and do this check without having to modify every callback in my code?

I hope anyone can help out,

Thanks,

Seldon!

In your case, I think using the createInterceptor() function on the callback function might work right :) tryanDLS wrote a pretty cool article on that : http://www.yui-ext.com/manual/utilities:function

Animal
24 Feb 2007, 6:48 AM
Uhhhh (polishes halo) that was my explicification! :wink:

tryanDLS
24 Feb 2007, 8:42 AM
Yeah, I don't want to steal Animal's thunder! In most cases, my contribution is only as self-appointed spelling and grammar checker - somebody else did the heavy lifting :)

BernardChhun
24 Feb 2007, 2:46 PM
:shock: waaa sorry Animal! I just assumed the name in the right lower corner was the author! :lol:

seldon
26 Feb 2007, 9:01 AM
Ok at numerous points in my code i have chunks like:



YAHOO.util.Connect.asyncRequest('post', url, {success: doSomething, failure: submitFailure.createDelegate(this)});


To verify if a user is logged in i can modify each piece into


YAHOO.util.Connect.asyncRequest('post', url, {success: doSomething.createInterceptor(function(o,b){
return isLoggedIn(o.getAllResponseHeaders)}), failure: submitFailure.createDelegate(this)});



But I have quite a lot of asyncrequests in my code, and moreover i have some updatemanager updates that cannot as easily be intercepted by the above method. Does anyone have an idea how to do a single? interception that covers all bases?

Thanks already,

Seldon

72
25 Apr 2007, 6:12 AM
Does anyone have an idea how to do a single? interception that covers all bases?


I need this too, i got backend done and tested. Is there a way (is this good idea?) to extend a Connect class (override some methods or set others) and check the response before all requests? But what about the grids and all that stuff?

I got timer set also. It checks for logon validity 10 secs after server security key expire, but its not cover the all ways.


Any easy way idea to cover logon checking?

Thanks for reply.

72
25 Apr 2007, 7:35 AM
It's just a question, is a good idea to use the function Interceptor (createInterceptor (http://www.yui-ext.com/deploy/yui-ext/docs/output/Function.html#createInterceptor)) for handling that? Just pin it to every ajax call (and some other required functions)..



EDIT:
-------------------------------
The last i think better.. Best way will be to define function in which will be AJAX request call (this function will be in global scope and will be called instead of standard XHR call) and after its determine state and base of that it will make actions. If its OK and user is logged returns JSON string.

Animal
25 Apr 2007, 8:43 AM
Seldon, use Ext.data.Connections to grab remote data (You'll have to read the source!)

Then you can use the technique I described in post 8 here http://extjs.com/forum/showthread.php?t=5122

to make the Connection class observable, and do



Ext.data.Connection.on("requestcomplete", function(xhrResponse, options} {
// do somethng
});


just once to be informed of all "requestcomplete" events of all Connections however instasntiated.

seldon
26 Apr 2007, 3:44 AM
Yeps, Im currently doing that. However Ajax calls using the Ext.lib.Ajax.request do not use the connection object and are hence not intercepted. So actually one should create a global connection object instead and use that for *all* asyncrequests.

Animal
26 Apr 2007, 4:09 AM
YAHOO.util.Connect is a singleton. You could add an interceptor to handleTransactionResponse and do your own thing in there.

dfenwick
26 Apr 2007, 4:14 AM
On a side note, I wrote a stream of consciousness security prospectus a few months ago. It's still here: http://www.extjs.com/forum/showthread.php?t=3932

Dunno how helpful it would be. It's somewhere in the middle of that thread.

72
27 Apr 2007, 2:03 AM
I cannot get the way to intercept all responses comes from XHR... i wanna to intercept all sucess responses in one so if i will call Ext.lib.Ajax.request and success (or any) response is made i wanna to check the responseText first it will be passed to function defined in function parameter (Ext.lib.Ajax.request).

My backend is based on if user is not authorized it will bring back JSON data where is ACCESS DENIED defined (only that without real data of course) and if is authorized and have rights to read data so PERMIT+DATA is passed back.

So i wanna to check the responseText before i will pass it to function defined. I tried all the ways but cant get it to work. I cant get the object which have to be intercepted :-?

Any help would be appreciated.

If anyone will find useful the PHP authentication class so i can post the simple way authentication based on session with security keys.
Every request made it will renew the key. In session is only the userId & key stored.


Thanks for replying
$72