[security-dev] Ajax Session Management discussion (Security Related)

Hi All, I want to learn a bit on ajax session management. There are probably things I do not know and may learn from the Richfaces/Aerogear and other folks. :) With the classic servlet based web apps, the sessions are managed by the servlet container. So when the session times out on the server, a secured web app may just return the login page. Without responsive web apps (no use of ajax for example), this works fine. When an app makes ajax calls to the server, the session may have expired or invalidated. In this case, the server may send a response (such as a login page) that is different from what the ajax call was expecting and the flow is disrupted to yield a bad user experience. I guess we need to have mechanisms to identify ajax calls (header "X-Requested-With") and determine if the session has timed out/expired and send back an appropriate http code so that the browser app can handle this use case properly. If Ajax calls are involved, I would guess the web app security is probably not container managed (via web.xml/security annotations). We will need the following in container bindings project or something like that: a) A servlet filter for ajaxified web app with its own web security. b) Updated Tomcat Authenticators for the case when container security is used and the web app wants to have ajax calls too. Regards, Anil