View Full Version : PHP Session Handling and Ext.Direct

17 Jun 2009, 4:30 AM
Hi again,

i have a question on PHP Session Handling.

I have extended my Ext.Direct apllication (http://extjs.com/forum/showthread.php?t=69840) with a session handling on PHP backend side.

The initial PHP script setups the session:

SessionControler :: init($initialParams) After that all the UI stuff is loaded.

Anytime later within the client a method is called that is provided via Ext.Direct. Then router.php (http://extjs.com/forum/showthread.php?t=68186) is called:

if (false === SessionControler :: resume())
// Error handling

// this should alwasy be set but if its not, then execute api.php without outputting it
if(!isset($_SESSION['ext-direct-state'])) {

$api = new ExtDirect_API();

$router = new ExtDirect_Router($api);
Now my question: What should i do, if the session could not be resumed (e.g. idle time out)? In this case it's not allowed to deliver any results. The client needs to be informed that the session is no longer valid. How can i do this? I dont't want to break the comunication between the Ext.Direct PHP backend and the Ext client.

Thanks in advance,
Jean Marie

19 Jun 2009, 5:40 AM
Hi Jean Marie,

Sorry to jump into your thread, but had just finished writing a post to the forum on this specific problem and thought it better to add my questions to yours than start a whole new post.


I'm just starting to work with Ext and am especially interested in using Ext.direct with an existing application backend.

I'm trying to understand the 'best' way to handle session state with AJAX queries as Ext does not seem to have any 'set' way to do this.
A base requirement would be the user not losing their 'position' or data view in the application.

My thoughts so far as as follows;
In server implementation of 'direct', before passing call to method, check session status
If valid session, allow call to pass through
If invalid session, and call is not to the registered 'login' method (whatever that is defined as in backend), return the correct 'type' of response (for form or normal direct request) with a standardized error type
In the client (javascript) code, have 'some' method of intercepting the response from all Ext.direct queries and examining the result before returning data to caller
if the response contains matching error for matching query type, interrupt process and display the login dialog with whatever received message.
EG 'Your session has expired. Please log on and re-submit your request'
if the response contains error not matching the 'predefined' error for session issues, return data to calling method with no interruption
if the response contains no errors, return the data to the calling method with no interruption In a perfect world, when the user logs back in after the expired session dialog is displayed, the request would be automatically re-submitted.

I'm interested to see if anyone has implemented something similar and can share, or if there are glaring holes in process/logic.

22 Jun 2009, 12:34 AM
That's fine by me.

Best regards,
Jean Marie

16 Oct 2009, 9:36 AM
Not sure if you have had these answered or not but here is a solution we are using for secure control over session time-outs and secure SSL code.

Basically using a poll to check with the server-side every 10 seconds. This is not encrypted and just does a check and returns a simple "ok" back to the javascript.

Our secure function does SSL encryption RSA on client side which works like this.

We have our json data that needs to be sent encrypted with our public key then embedded into a standard json formatted sent to the same server-side function. Our function can tell when its an encrypted message cause we use a keyword for the first 5 letters of unencrypted data.

If the poll comes back without the "ok" text we do a MessageWindow about being logged out in 30 seconds. After those 30 seconds is up we clear all EXT components and default back to our EXT login page. We have a function that if the timeout happens it also sends data to the server-side to handle logout functions for this session and do the cleanup needed. Otherwise we just extend the session timeout in our db. We also have a cleanup session on our server-side that if someone closes the window we have a worker app that checks for a recent call from the javascript if it doesn't call then it cleans up the session. It checks sessions every minute for cleanup of sessions no longer valid.

Hope this helps.


24 Jun 2012, 11:51 PM
jean_marie try something like this

if(!isset($_SESSION[_APP_INDEX_SESSION]["ExtDirectState"])) {
$api = esibase_direct::getApi();
} else {
$api = new ExtDirect_API();
// Cargar el api con los valores que ya hemos guardado la primera vez
// en la sesion

// Cargar el router de las peticiones Extdirect
$router = new ExtDirect_Router($api);

// Control de login ok. Cualquier peticion EXTDIRECT se cancela con requiereLogin = true si no hay sesion abierta.
if (!esibase_sesiones::esSesionOk()) {
$response = array(
'type' => $router->data->type,
'tid' => $router->data->tid,
'action' => $router->data->action,
'method' => $router->data->method,
'result' => array(
'success' => false,
'requiereLogin' => true
if(!$router->isForm) {
header('Content-Type: text/javascript');
echo json_encode($response);

// Lanzar el router dispatch del extdirect
$router->getResponse(true); // true para imprimir la respuesta instantaneamente