MVC, Authorization and AJAX – A Sordid Tale

So I was recently notified of a small bug in the application I am developing at work that some functions of the site weren’t responding properly when the user was no longer authorized.  The tester (in this case, my boss), had let his machine go to sleep while he took care of some other things.  By the time he got back, his session had expired but he tried to continue working.  The system obviously didn’t like that, but it didn’t respond properly.

The reason is because the pieces that weren’t functioning were AJAX calls.  While these calls were being authorized (and failing because of the expired session), the content of the response was actually the HTML of the login page.  This was happening because the site was redirecting the request to the login page, as it absolutely should have.  However, I wasn’t handling the situation.

So how do we fix this?  Well, the first thing I did was hit Google, thinking that someone, somewhere had to have encountered this as well and should have a solution already.  Why re-invent the wheel?  The solution I put in place was actually pieced together from a blog post I found on the web and a Stack Overflow article.  The overall concept is this: signify in the AJAX response that the request was denied because the user was no longer logged in, and then respond to that specific response and redirect the user appropriately.

So the first part involves signifying in the response that the request was denied because the user’s session expired.  I found the answer in this blog post.  The idea is simple, if the request is unauthorized and is also an AJAX request (how handy of the HttpContext to provide us with that little nugget of info!), then assembly either a JSON response or a Content response based on the mime type of the request, and assign the return code of 530.  Genius!

So now we’ve signified in our AJAX response that the request was denied, and it was because the user was no longer logged in.  Now we have to appropriately handle this in code.  That’s where this SO article comes into play.  I’m looking at the second response (not the accepted answer), and the “Client Side Code” section specifically.  This was a jQuery function I was not aware of.  Guess you learn something every day.  But the concept is simple; setup all AJAX calls that happen on this page to respond to any 530 status codes with your custom function.  Construct the URL you need to return the user back to and redirect.  Problem solved!

I will come back to this post later and add some actual code samples rather than a wall of text and a couple links. But I hope this has helped someone!


~ by interneth3ro on March 22, 2012.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: