• Post Reply Bookmark Topic Watch Topic
  • New Topic

AJAX created dropdowns and Session timeout

 
Andres Delrotti
Ranch Hand
Posts: 178
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

We have a JSP page. In that JSP page there are a lot of dynamic dropdowns. Dynamic meaning when a value is selected in dropdown1, it dictates the values that will be listed in dropdown2 and so on. These are done through Ajax

The problem is when session timeout happens. The ajax calls pass through a controller class back end to query the dropdown values. In our codes there is also a filter class which checks the session before forwarding to call to the chosen controller action. Since the filter class will be able to detect the invalid session, the ajax call would not forward to the controller class its suppose to call. If that happens all dropdowns will show a blank value. This will be confusing to the user.

Is there any way to better handle this?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65524
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Don't pass those requests through the filter.
 
Stefan Evans
Bartender
Posts: 1822
10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well even if those requests don't pass through the filter, you are just delaying the inevitable.
When the users comes to an interaction that DOES require a session (such as save) what happens then?

How do you deal with a session timeout in the general case?
- alert the user, and close the app?
- ask them to log in again (retaining current context or not?)



 
Andres Delrotti
Ranch Hand
Posts: 178
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:Don't pass those requests through the filter.


Seems that would cause a hole in the security?
 
Andres Delrotti
Ranch Hand
Posts: 178
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Stefan Evans wrote:

How do you deal with a session timeout in the general case?
- alert the user, and close the app?
- ask them to log in again (retaining current context or not?)





We are planning this solution. Catch a mouse click anywhere in the page, then check if the clicked element is any of the dropdown, if it is...trigger an ajax call in the back end to check the session. If the session is invalidated, return something like "window.location = loginPage.do" in the page.

Would that work? is that ok?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65524
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
That sounds like a horribly overcomplicated and error-prone approach.

First of all, why do the drop down requests need to be validated at all? Unless there is sensitive data being returned to use as drop down values, why bother?

Andres Delrotti wrote:Seems that would cause a hole in the security?


If the dropdowns do contain sensitive data that needs protecting, making additional calls makes no sense. Simply return a response status code that indicates a security timeout from the Ajax requests that return the options data.
 
Andres Delrotti
Ranch Hand
Posts: 178
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:

If the dropdowns do contain sensitive data that needs protecting, making additional calls makes no sense. Simply return a response status code that indicates a security timeout from the Ajax requests that return the options data.


So you mean, if that happens, the dropdowns should return a single option containing a text like "invalid session" or "no data- session timeout"?

I'm inclined to do your recommendation but wouldn't that confuse the user more? rather than forward him/her to the login page upon onChange of the dropdown?
 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65524
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Andres Delrotti wrote:So you mean, if that happens, the dropdowns should return a single option containing a text like "invalid session" or "no data- session timeout"?

No, it should return an HTTP status code for the response that indicates the error. I use 555 (anything over 500 is a server error).

I'm inclined to do your recommendation but wouldn't that confuse the user more? rather than forward him/her to the login page upon onChange of the dropdown?

No, because I never said anything about showing that to the user rather than using the status code to allow your code to take appropriate action.
 
salvin francis
Bartender
Posts: 1407
18
Eclipse IDE Google Web Toolkit Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bear Bibeault wrote:No, it should return an HTTP status code for the response that indicates the error. I use 555 (anything over 500 is a server error).

I suggest using standard one like : HttpServletResponse.SC_FORBIDDEN for such requests.
Javadocs state :
Status code (403) indicating the server understood the request but refused to fulfill it.

 
Bear Bibeault
Author and ninkuma
Marshal
Posts: 65524
105
IntelliJ IDE Java jQuery Mac Mac OS X
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A 403 indicates a permissions rather than authentication failure. Also, browsers may have builtin actions (that are not wanted) for codes under 500. So I use a custom value greater than 500. YMMV.

 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!