Session null after window.open in minimal SharePoint page - javascript

I'm storing a token in a session variable. I launch a report that needs this token in a new ASPX page by using the javascript windows.open function. When this new page loads the HttpContext.Current.Session is null.
I have gotten around this by passing the token in the query string but activity in this window needs to keep the session of the parent window active and I'm not sure what the session object being null means for this scenario.
Any idea why the HttpContext.Current.Session object would be null by using window.open from javascript?
EDIT: I will add that this is a basic System.Web.UI.Page stored in a SharePoint library and the window.open function is called from a webpart. I'm thinking that this page may need to inherit from a base class to share the right context.
UPDATE: I've narrowed down that this is related to SharePoint. I moved the code that accesses the Session object into a web part. The web part works fine if put in a standard web part page but I have it added to a minimal page that only contains a ScriptManager, SPWebPartManager and a WebPartZone. The code runs but the session object is again null. My minimal page is missing something that makes the Session object available.
SOLVED: My minimal ASPX page needed to implement the IRequiresSessionState interface. After that the Session object is there.
I'm going to give the cred to Andrey since he offered the most useful information.

Technically, it's a different connection to the web site, that's why it's a different session. It's probably better to use Application cache instead of session if you want different windows to utilize the same session storage.
UPDATE:
What you can do if you want to stick to using session state, is to write the session ID to a persistent cookie, this way the child window's call to the server will carry it along and you can retrieve SessionID from that cookie. IMPORTANT: Make sure you encrypt session ID ebfore putting into teh cookie to avoid session hijacking.

window.open() should keep the same session id
window.open() clears session
make sure that the url you pass to the open() method is relative or the same domain name

I assume you are using IIS 6 or later.
Lets say you have 2 different websites:
http://site1.yourdomain.com
http://site2.yourdomain.com
2 things can happen
Both sites run under the same Application Pool: Session should be the same for both sites.
note: Internet Explorer prior to version 8 gets assigned different session if the newest window is not originated from the currently open window. Starting on version 8 all windows accessing the same Application Pool share the same version regardless the origin of the window.
Sites run under different Application Pools in IIS: Not even dreaming you can share the same session for both windows
If the website is the same for both windows you shouldn't have any problem sharing session between two windows, even with any version of Internet Explorer since the second window is originating from the first one by calling window.open() method.

Related

Race condition trying to sync access token in multiple tab

Here’s what I’m facing. Currently, refresh tokens are stored in httpOnly cookie, and on every SSR, we refresh the token and send the whole response to the browser, the access token is only saved in memory, then the browser will continue for renewing it. The problem arises when we have 2 tabs, the access tokens will go out of sync. The initial tab’s access token will be unusable.
To work around this, we can either use localStorage to sync the tokens or use non-httpOnly cookie to store the access tokens. Or, manage tokens server-side, But both would have a problem, let’s say Tab 1 sent a request using the current access token, then I open Tab 2, the token is refreshed, Tab 1 request just reached the API, and the token is already invalidated.
I can’t find a proper solution unless we build more server-side logic into NextJS. Or perhaps if we don’t invalidate access token when refreshing and let it dies off the expiry. That way, we have ample time to fight the race condition.
Or, we retry all requests using exponential back off. Actually this kinda solves everything, and there’s a package ready for it. Except we’ll need to rewrite many parts to adopt the new library, and also there would be false alarms in the logs.
Or, we just ignore this and hope the race condition won’t appear, although it seems to me it’s going to occur pretty easily.
We are facing this problem in the company I work for.
Our solution is to store the refresh token in localStorage. If the token is regenerated, the other open tabs would detect a change in localStorage, retrieve the stored token (which now is a brand new one, generated by some other tab) and from that point on use it. The token is stored in memory until another change in localStorage is triggered.
To learn how to detect a change in storage: https://developer.mozilla.org/en-US/docs/Web/API/Window/storage_event
Honestly, there is no standard and robust solution to that as far as I know, and based on my research on the Internet.
Interesting problem. In single page apps each tab would be independent and have its own access token that it could store in HTML5 session storage or memory.
In server side web apps cookies are usually shared across all tabs and can cause conflicts.
I would try to follow the SPA model - there is no good reason why using your app on tab 2 should invalidate the token on tab 1.
They are different sessions and should be independent - as they would be if running one tab in Chrome and the other in Firefox.
Keep access tokens short lived (<= 60 minutes) so that after logout on tab 1 the user does not stay logged in on tab 2 for long.

Sessions in JavaScript or Global variables

What do you recommend to use as "website sessions settings": I have few notifications (about using my web site functions) and I show them to user when he open the page first time. However, I do not want to show him everytime that he navigates the page.
My idea is to use some variable that is valid through session on my web site and terminates when user leaves it.
I am thinking of using php server settings and then use AJAX to set them, but it looks a little complicated. What do you think? Client session settings (if such exist) or global variables, or something else?
There are many ways to do so.
You can achieve that using HTML and Javascript using a cookie. (Take a look at [jQuery Cookie])1.
Check for the cookie when the user opens the page; if not found, show him the message and create the cookie.

call Javascript function from OUTSIDE the browser?

I have a Windows tray application that needs to communicate with my web-application, especially displaying incoming call information.
The telephony-application (ProCall) can start applications when a call-event is received.
I could open a specific URL in a new browser window, but ideally I would like to start a Javascript function of an EXISTING browserwindow and then do it with AJAX.
Is this even possible?
You could have your application talking to a local service via AJAX (with polling) or COMET and have the tray application either host that service or talk to that service. That way you could have a pretty easy channel of communication from your browser to the tray application.
Otherwise you're looking at something like an active x control as far as I know.
You can insert <script> tag on the page?
If yes you can put inside function call, or other code
if you can change the javascript source, i'd say that the url you call have aditional GET/query string parameters, or a hash, and that your js parses it and act accordingly
if you want to use an existing window, you can probably get the instance using COM and with some method around change the hash of one of the open websites to send commands to javascript without reloading. i'm pretty sure it is possible to do something like that with IE, and probably with FF. of course, you need to create a desktop app that get the instances and call its methods. i'd recommend .net or a .vbs script
You want communication between two browser windows, but first you must start from the first step: How will you relate a browser window to another one?
Why should A contact B not C?
The answer depends on this relationship. For example, if A is somehow causing B to spawn, it would be a matter of passing a "pointer" to B (which could simply be a session ID).

Chrome extension / web app session control

I am creating a chrome extension, rather a chrome webapp. This application just contains the html, js, image and css files. The application connects to a server to fetch data. I chose to do this as it would reduce the amount of files downloaded by the user. Using Backbone.js I have an MVC architecture in my application. Thus the application just sends json.
Now having said this, I need a session management. I plan to use Google authentication as the organization has Google Apps. I need a method that once the user has logged in using google auth the server get the user name every time the application makes a request.
Is it a good idea to add the user name in request header, if possible. Or should I use cookies? Can any one tell me how I could go about using cookies in this case?
This might be a late response but I want to present a more elegant solution to you given that the user has cookies enabled in their browser.
First read my answer on another question.
Now that you can send cross origin xhr from your content scripts all you need to do is store all your authentication and session management at server only. That is right, you just need to display whether the user is logged in or not and a logout button at client based on server response.
Just follow these steps.
At client Whenever user accesses your chrome web app, blindly make XmlHttpRequests to your server without worrying about authentication, just keep a tab on response from server which I describe below.
At server whenever you receive a request check for valid sessions or session cookie. If session is valid send proper response, if not send error, 401 or any other response to communicate to your client that session is not valid. It is better if you send an error code like 401 since then you can put a generic script at client to inform them that they are not logged in.
At Client If response from server is proper, display it, else display login link to your website.
IMPORTANT: Display logout button if user is logged in.
Check out my implementation of this in my extension
For help using Google authentication in your app take a look at Google's OAuth tutorial which comes with all you need (took me no time to set it up using this).
As for session management. The implementation of OAuth used by Google stores the tokens in localStorage. Also, as briefly mentioned in the extensions overview we are expected to use localStorage to store data. Thus, I suggest you store the users name here as it will be accessible throughout the app's lifetime (until it is uninstalled). However, you may need to manage the name stored here and consider what should happen when users log in and out. That said; I'm not sure if sessionStorage would be a better option as I've never used it before, let alone in an extension.
Note
localStorage and its counterparts only store strings so I suggest using a wrapper which uses JSON to parse and stringify to get and set your values respectively.

How can I automatically answer a password prompt from an embedded item in an (X)HTML page?

I wrote a web page that displays images from several servers on my network via simple img tags with appropriate href values. The servers require authentication before they will send the images.
It works alright, except on first load the page presents the user with a series of password prompts (one for each server). The user can select the "Remember my password" checkbox, and then subsequent refreshes of the page work without prompting, with correctly updated images. That is, until someone closes out the browser, after which a new set of prompts awaits anyone who opens the page again.
All of the credentials needed are known beforehand, and I don't care if someone could read them in the page source, since this page is in a protected part of an internal intranet site. Everyone with access to this page knows the passwords anyway.
The only browser we're allowed to use is IE 7, so I don't care about compatibility with other browsers at the moment.
Is there any way I can use JavaScript (or some other client-side code) to automatically answer those prompts so the user never sees them?
Thanks very much, in advance.
You can include the authentication in the URL:
<img src="http://paulfisher:tastybacon#internalwebs/path/to/image.png">
Where, of course, paulfisher is my username and my password is tastybacon.
No, javascript can't do this. Here are a couple of options that I've used before to solve this problem:
Change the authentication on the other servers to be either anonymous or integrated.
Proxy in the images: On the server serving the page, add another page that takes in the URL of the remote server. This new page makes a webrequest to the other server and streams the image back. The webrequest can plug in the correct credentials.
Depending on the servers' DNS names, it might be possible to share an authentication cookie across all of the servers. Then you could set up some kind of module on all of the servers to allow the shared authentication.

Categories

Resources