I need to fire Session.Abandon() when a user leaves the page he is watching.
If the user just refreshes the page session must be kept.
I tried to do this client-side firing an ajax call when unloading the page window.addEventListener("unload", function(e)... but I'm not able to distinguish if the user is just refreshing the page or is leaving it.
I'm currently usuing ASP.NET MVC5.
Any suggestion, please?
There is no straight-forward way to do this... The question is: why would you want to do this anyway? Feels like bad design to me.
You could handle some navigate event and check if the domain is the same as you currently have. If not, fire an AJAX call to abandon the session. Make sure to make that call a HTTP POST with a CSRF token to be sure not to be vulnerable to CSRF.
Related
I'm making a project in primefaces and I'm puzzling in something simple.
The objective is:
When an AjAX request is made, send something to the browser so that it knows the session has expired.
By knowing that the session has expired, it knows it must display the login form (the contents are inside a <template> tag) in a popin (modal(?) box) and it displays it.
When the user tries to submit the form, the js intercepts the submit event and it sends the login using AJAX.
On successful login, re-send the previous AJAX request that had failed due to session timeout.
Update:
To solve this, I decided to use, a filter, I was able to do the request interception and I was able to analyze if the session had timed out. Given that, there seem to be a specific header that is always sent when it is a request using DOM's XMLHttpRequest(), so I can use that to decide the kind of answer it should give for session timeout.
With that, I send the answer to the client... Now what?
This is something super simple I had already made when not using any framework at all but now, using primefaces, I can't seem to be able to even get started, I have no clue how to do it.
This is on primefaces 5.0 with only its dependencies.
When a user lands on my page, say, www.somepage.com, I want to display some randomised content. But I want that content to be bookmarkable, so the URL should be changed on the client to something like 'www.somepage.com/?showparts=2,7,12', where the numbers can be different.
I do not want to do a redirect every time the user goes to 'www.somepage.com' so that it refers the user to 'www.somepage.com/?showparts=2,7,12', since that will require 2 round trips of communication with the server, making the site appear slow to the user.
So is there a way to make the user's browser show the URL as 'www.somepage.com/?showparts=1,4,6,30' in the one request and response when they navigate to 'www.somepage.com'?
I have read this thread: Is there a way to change the browser's address bar without refreshing the page?
But that thread is about changing the page after user interaction, so after the page has already been loaded on the client.
My question is about whether there is a response code or something to change the browser's URL in the first response sent from the server to the client when the client first navigates to the site.
I have read about history.js (https://github.com/browserstate/history.js), but I was wondering if there's a more simple solution in a response code or something. If the only solution is to use history.js, how should I do it? I was thinking that I could add a javascript call to the html page sent from the server as follows:
History.pushState(null, null, "?showparts=1,4,6,30");
Any pointers would be appreciated.
Thanks,
Keith
My understanding is that you could use the History api as you've illustrated here to solve the issue you describe. Have you tried it? What kind of problems are you having with it?
It is kind of a difficult to explain problem.
Let me describe you a scenario.
I have Home Page, Registration Page, Login Page and Dashboard page
When I register for the application from Register page and hit submit. Application will process request and will redirect me on Dashbord with User logged in. Now, The issue comes. When i hit back button. I get the Registration page with fields filled by values. This should not happen.
When i login to system and from dashboard i hit back of browser. it will show me login page. This also should not happen.
I hope it makes it clear what I am looking for.
Few Possible solutions I tried:
use a Proxy page. Similar to what many mail services are doing. But in MVC 3 it will not detect page load event and there is very less control on page.
use javascript function on a proxy page window.history.forward()
Expire proxy page once rendered.
I am not totally convinced with above solution. I was hoping to get some best practices of doing this in a systematic way and elegant solution to problem.
Please help me with your suggestions on existing solution that i am using as well as if you have some great working solution. Please share it.
Thanks All.
FYI.. I am using ASP.NET MVC 4 for development.
In the Controller/Action method for the register and login page check if the user is already logged in and redirect to eg. the Dashboard.
Something like this depending on how you do your authentication.
public ActionResult Register()
{
//If already logged in no need to show register page again
if(Request.IsAuthenticated)
return Redirec("Dashboard");
return View();
}
Edit: Updated answer to fix commented issue
I created a Partial view with the following content
<input type="hidden" id="reloader" value="" />
<script type="text/javascript">
if (document.getElementById("reloader").value === "reload")
window.location.reload();
else
document.getElementById("reloader").value = "reload"
</script>
You can then include that with #Html.Partial('PartailViewName') in your Register and Login views.
Since the DOM is cached when you use the back button the script above will reload the page if the user uses the back button.
If used together with my first answer you will get the behavior you wanted.
Use history.js to control the history.back() event. You just replace the state of the last page to point to the dashboard or the page you want (inside your web app; inter-domain is prohibited for security reasons). When the user clicks the back button the defined page is loaded instead of the login page.
https://github.com/browserstate/History.js/
The proxy solution is too complicated for this kind of UI interaction. The client-side control is the best approach for your solution. The HTML5 reference define the History API for that (http://www.w3.org/TR/html5/history.html). Unfortunately not all the browsers implement it right now; that's because the history.js script exists.
There is one frame sometimes which includes to load action class. But sometimes due to server issues or some other causes.
In this scenario, I want to reload the script.
But, while reloading the script, I am getting as a pop up like "resending data". and asking confirmation.
How to avoid pop ups while reloading the script?
Note: As I need to get more than 1KB data(it may extend), I need to use POST request only.
Will it make any sense?
You can use ajax to send the post request to server asynchronously, right after the page has been loaded.
In that case, you don't need to refresh your page when there's something wrong. Just simply resend the post request with Javascript. And the browser won't pop up a warning dialog if you refresh the page anyway.
It seems that you enter the site with a post requset, change it to a get and just "reload it".
If you have access to the server code, and the solution allows it, you can do a redirect to the same url after handling the POST. Then you can do a refresh without POST and confirmation.
Using ajax as suggested by su27 is recommended and a far better solution, but will probably harder to implement...
This is more of a discussion, rather than a real question...
I'm building a site and I am struggling with how to force a user to login to the site to access certain areas and take certain actions. I'm using spring security and have it integrated fairly well, however, I also have some AJAX calls that need to be secured and when Spring Security intercepts my calls it attempts to send back the HTML for login page to my AJAX callback which doesn't do me any good.
In passed applications, when I was using Struts, I was able to override the html:link tag and check login in the tag and rewrite the href to point to my login page (instead of my ajax script), however, I'm using Spring MVC and I don't have that luxury (if you can call it one).
I'm playing with some ideas such as:
Iterating through all my links on the page and rewriting the href of the links that have a certain class if the user is not logged in
Create a custom tag from scratch
Ditch the fancy AJAX stuff
It looks like other sites, such as, DZONE and Digg do something similar; so I know it's possible.
I'm looking for any ideas at this point, just something fresh to try, other than the three options above. Of the three, I think I'm leaning more towards #1.
If I understand your question correctly, you are asking how you can get around your secured AJAX requests returning redirects to your login page (or the login page itself) to your AJAX handler?
I would organise your application so that calls to secured AJAX request are only done from pages that are secured themselves. That way all requests that you initiate (from your own pages) are guaranteed to work and any requests that come from somewhere else (potentially malicious ones) from AJAX or normal page requests will be redirected to the login page.