header Location redirect within AJAX response
Posted: Tue Mar 08, 2011 10:31 am
Hi everyone
I'm working on a subscription site which currently has a secure sign in facility which works well. I was about to start converting various forms in the password protected areas over to AJAX but then thought of a potential problem.
At the moment I have a file called auth.php included at the top of every secured page on the site. If a user is not signed in then this script redirects the user to a sign in page using the PHP header() function, followed by exit() of course.
If I have a form which should only be used when a user is signed in and I want the response to the form to be sent to the user through AJAX, then the AJAX response would actually contain the header() redirect if the user wasn't signed in.
You'd be relying on the browser obeying the header redirect in the AJAX response and redirecting the user... inconsistent, horrible, and probably unlikely they'd obey the redirect as well.
So here's the options, ordered by increasing complexity...
- Ditch AJAX forms on secured pages.
- Add support within the auth.php file to branch if it's an AJAX form and output a message asking the user to sign in again with a link to the signin page.
- Add support within the auth.php file to branch if it's an AJAX form and send a distinct AJAX response which is parsed by the Javascript on the form page to redirect using window.location
I think ebay uses this 3rd option when you try and add an item to your watch list but not signed in. It's probably the best from a user perspective.
What do people think is the best option?
Has anyone come up with different methods when dealing with this situation.
Is there anything inherently wrong in using AJAX request/responses for forms within a secured environment? I can't think of anything... other than this particular issue.
I guess it's a question of whether the improved user experience is worth some extra complexity. With complexity comes the potential for security holes though.
Cheers, B
I'm working on a subscription site which currently has a secure sign in facility which works well. I was about to start converting various forms in the password protected areas over to AJAX but then thought of a potential problem.
At the moment I have a file called auth.php included at the top of every secured page on the site. If a user is not signed in then this script redirects the user to a sign in page using the PHP header() function, followed by exit() of course.
If I have a form which should only be used when a user is signed in and I want the response to the form to be sent to the user through AJAX, then the AJAX response would actually contain the header() redirect if the user wasn't signed in.
You'd be relying on the browser obeying the header redirect in the AJAX response and redirecting the user... inconsistent, horrible, and probably unlikely they'd obey the redirect as well.
So here's the options, ordered by increasing complexity...
- Ditch AJAX forms on secured pages.
- Add support within the auth.php file to branch if it's an AJAX form and output a message asking the user to sign in again with a link to the signin page.
- Add support within the auth.php file to branch if it's an AJAX form and send a distinct AJAX response which is parsed by the Javascript on the form page to redirect using window.location
I think ebay uses this 3rd option when you try and add an item to your watch list but not signed in. It's probably the best from a user perspective.
What do people think is the best option?
Has anyone come up with different methods when dealing with this situation.
Is there anything inherently wrong in using AJAX request/responses for forms within a secured environment? I can't think of anything... other than this particular issue.
I guess it's a question of whether the improved user experience is worth some extra complexity. With complexity comes the potential for security holes though.
Cheers, B