[security-dev] Ajax Session Management discussion (Security Related)

Anil Saldhana Anil.Saldhana at redhat.com
Wed Dec 5 23:19:07 EST 2012

Hi All,
   I want to learn a bit on ajax session management.  There are probably 
things I do not know and may learn from the Richfaces/Aerogear and other 
folks. :)

With the classic servlet based web apps, the sessions are managed by the 
servlet container. So when the session times out on the server, a 
secured web app may just return the login page. Without responsive web 
apps (no use of ajax for example), this works fine.

When an app makes ajax calls to the server, the session may have expired 
or invalidated. In this case, the server may send a response (such as a 
login page) that is different from what the ajax call was expecting and 
the flow is disrupted to yield a bad user experience.

I guess we need to have mechanisms to identify ajax calls (header 
"X-Requested-With") and determine if the session has timed out/expired 
and send back an appropriate http code so that the browser app can 
handle this use case properly.

If Ajax calls are involved, I would guess the web app security is 
probably not container managed (via web.xml/security annotations). We 
will need the following in container bindings project or something like 
a) A servlet filter for ajaxified web app with its own web security.
b) Updated Tomcat Authenticators for the case when container security is 
used and the web app wants to have ajax calls too.


More information about the security-dev mailing list