[security-dev] Ajax Session Management discussion (Security Related)
Anil.Saldhana at redhat.com
Wed Dec 5 23:19:07 EST 2012
I want to learn a bit on ajax session management. There are probably
things I do not know and may learn from the Richfaces/Aerogear and other
With the classic servlet based web apps, the sessions are managed by the
servlet container. So when the session times out on the server, a
secured web app may just return the login page. Without responsive web
apps (no use of ajax for example), this works fine.
When an app makes ajax calls to the server, the session may have expired
or invalidated. In this case, the server may send a response (such as a
login page) that is different from what the ajax call was expecting and
the flow is disrupted to yield a bad user experience.
I guess we need to have mechanisms to identify ajax calls (header
"X-Requested-With") and determine if the session has timed out/expired
and send back an appropriate http code so that the browser app can
handle this use case properly.
If Ajax calls are involved, I would guess the web app security is
probably not container managed (via web.xml/security annotations). We
will need the following in container bindings project or something like
a) A servlet filter for ajaxified web app with its own web security.
b) Updated Tomcat Authenticators for the case when container security is
used and the web app wants to have ajax calls too.
More information about the security-dev