Hi everyone
I'm working on a subscription site which currently has a secure sign in facility which works well. I was about to start converting various forms in the password protected areas over to AJAX but then thought of a potential problem.
At the moment I have a file called auth.php included at the top of every secured page on the site. If a user is not signed in then this script redirects the user to a sign in page using the PHP header() function, followed by exit() of course.
If I have a form which should only be used when a user is signed in and I want the response to the form to be sent to the user through AJAX, then the AJAX response would actually contain the header() redirect if the user wasn't signed in.
You'd be relying on the browser obeying the header redirect in the AJAX response and redirecting the user... inconsistent, horrible, and probably unlikely they'd obey the redirect as well.
So here's the options, ordered by increasing complexity...
- Ditch AJAX forms on secured pages.
- Add support within the auth.php file to branch if it's an AJAX form and output a message asking the user to sign in again with a link to the signin page.
- Add support within the auth.php file to branch if it's an AJAX form and send a distinct AJAX response which is parsed by the Javascript on the form page to redirect using window.location
I think ebay uses this 3rd option when you try and add an item to your watch list but not signed in. It's probably the best from a user perspective.
What do people think is the best option?
Has anyone come up with different methods when dealing with this situation.
Is there anything inherently wrong in using AJAX request/responses for forms within a secured environment? I can't think of anything... other than this particular issue.
I guess it's a question of whether the improved user experience is worth some extra complexity. With complexity comes the potential for security holes though.
Cheers, B
header Location redirect within AJAX response
Moderator: General Moderators
Re: header Location within AJAX response
3rd option sounds best. It's actually not much extra work - you just need to integrate into each AJAX call, code that properly handles the condition of an unauthorized access - which is easiest to indicate by simply adding another JSON object property to the response.
If you're using jQuery 1.5+, they've implemented the Promise style. Looking at the example here under the "The jqXHR Object" heading, it looks like it would be possible for you to pre-define a success function that just checks for that "unauthorized" response, which will always be executed by your AJAX-call specific success function:
Something like
If you're using jQuery 1.5+, they've implemented the Promise style. Looking at the example here under the "The jqXHR Object" heading, it looks like it would be possible for you to pre-define a success function that just checks for that "unauthorized" response, which will always be executed by your AJAX-call specific success function:
Something like
Code: Select all
var jqxhr = $.ajax()
.success(function(data,status,jqXHR) {
if(data.unauth)
alert('You need to login again');
});
$.ajax('url_for_particular_ajax_call',{
.success(function(data,status,jqXHR) {
//regular event handler for this call
});
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Re: header Location redirect within AJAX response
Yeah I decided to go for the 3rd option there... JS redirect if the ajax response said that the user was logged out.
It seems to work well!
I only needed to modify my JS script which handles the AJAX forms and add a flag for my auth.php file to return a URL as an AJAX response rather than sending a header location.
Although I don't return JSON to jquery but regular HTML. That way if the user has JS off for some reason, they at least get a human readable message.
Thanks for the input!
Hope this helps someone out
It seems to work well!
I only needed to modify my JS script which handles the AJAX forms and add a flag for my auth.php file to return a URL as an AJAX response rather than sending a header location.
Although I don't return JSON to jquery but regular HTML. That way if the user has JS off for some reason, they at least get a human readable message.
Thanks for the input!
Hope this helps someone out
Re: header Location redirect within AJAX response
If they've got JS off, the AJAX call isn't happening.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Re: header Location redirect within AJAX response
No, but the form should still submit to the action="" attribute!