I noticed if my session expired whilst on my site and then I clicked on an Ajax.ActionLink, the login page would be displayed in a PartialView. I've created an override of the OnActionExecuting method like so:
protected override void OnActionExecuting(ActionExecutingContext ctx)
{
if (!ctx.HttpContext.User.Identity.IsAuthenticated)
{
if (ctx.RequestContext.HttpContext.Request.IsAjaxRequest())
{
//ctx.RequestContext.HttpContext.Response.RedirectToRoute(new { controller = "Account", action = "LogOn" });
ctx.RequestContext.HttpContext.Response.Redirect(Url.RouteUrl(new { controller = "Account", action = "LogOn" }));
}
}
}
This checks if the User is Authenticated and then if the request is an AjaxRequest. It will then redirect the user to the LogOn method in my Account controller if they're no longer authenticated for an Ajax actionlink. The problem is I get "Failed to load resource" in the console.
This checks if the User is Authenticated and then if the request is an
AjaxRequest. It will then redirect the user to the LogOn method in my
Account controller if they're no longer authenticated for an Ajax
actionlink
Yes, but if you configured your Ajax.ActionLink or Ajax.BeginForm to update some DOM element with the results of the AJAX request using the AjaxOptions, it doesn't really matter if you are redirecting on the server. The AJAX request will simply follow the redirect and insert the resulting HTML you redirected to (/Account/LogOn) inside the DOM element.
So redirecting from an AJAX request won't solve your problem. As you know the whole point of an AJAX request is to stay on the same page (the address bar never changes).
If you wanted to handle the authentication cookie expired condition in a proper way within your AJAX requests you will have to perform the redirect on the client (using window.location.href). In order to achieve that you may take a look at the following blog post in which Phil Haack exposes a great technique allowing your server to send a 401 HTTP status code in this case instead of redirecting. Then on the client you could intercept this code (by subscribing to a global AJAX handler for example) and redirect to the logon page from the client.
Related
I have an ASP.NET MVC application with forms authentication enabled. I'd like to request a partial view using ajax and load the resulting html into a div on my main view, but I want to make sure that the ajax request is an authenticated request.
Is passing the authentication cookie in the ajax request for the partial view common practice to validate such requests and if so how would one go about acquiring the authentication cookie while on the client and then sending it along with the ajax request?
You can just set the authentication-attribute on your action-method and it will be sent correctly:
[Authorize]
public ActionResult GetPartial(){
return PartialView();
}
It is common to just pass the cookie with an Ajax-call. From the server's point of view, an ajax-call is not different from any other call.
I am building an application and I want to do a validation in which when user tries to access a POST method he should be redirected to a new Page. For example when I Login, the username and password validations are done in the post method that has
#RequestMapping(value = "/firstPage.htm", method = RequestMethod.POST)
So what I want to do is if user saves this link xyz.../firstPage.htm after the application is closed by pasting it in browser url, he should not get 405 error instead he should be redirected to another page that says You are not Authenticated to view this page.
How do I do this?
Regards,
Zingo
You could add another method in your controller that handles the same URI, but with RequestMethod Get. It can simply shows a page with a login form asking the user to login.
This will also lead to a more standardized approach. Where a GET request to a URL shows the form, while POSTing credentials to the same URL logs you in.
Hope this helps.
Iam using custom Authorize filter to on my action method to check if user has an access to it.
If user does not have an access then user is redirected to Unauthorize page.
The problem iam facing here is iam using Jquery Ajax request to call that action method. Everything works well if the user has an access. But if the user does not have an access the code is not able to bind the View("Unauthorize") and it display the existing view on the browsers screen;
Any suggestions would be helpful.
Thanks.
The thing is that ajax requests can not send a redirect response. You can instead either return a status code that tells the calling javascript to redirect or simply change the Response.ContentType to application/javascript and use window.location = "newUri" as the response body.
In my application this is how we are dealing with the session timeout till now
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="20" />
</authentication>
Now I want to deal session time out on client side, something like this
<authentication mode="Forms">
<forms loginUrl="showPopup();" timeout="20" />
</authentication>
Is that possible, or any other suggested way to achieve this?
Edit
I visited to other questions of the same type but could not get any real help from them.
In my application this is how we are dealing with the session timeout till now
Great, that's the correct way to define forms authentication in web.config
Is that possible
No, sorry, putting javascript in the loginUrl attribute is meaningless.
or any other suggested way to achieve this
From what I understand you are trying to display the LogOn form using some javascript function if the session has expired.
You should distinguish between 2 types of request to your server:
Standard synchronous requests (anchors, forms, redirects, ...)
Asynchronous requests (AJAX - done by using javascript)
In both cases on the server side you should protected actions that require authentication by decorating them with the [Authorize] attribute. For example:
[Authorize]
public ActionResult SomeAction()
{
...
}
Once you have secured your server you could start thinking about how to handle forms authentication cookie expiration or simply the case of an anonymous user attempting to call this action.
For the first case of standard synchronous calls to the server, the forms authentication module will intercept the request and if the user is not authenticated or his session expired ASP.NET will automatically redirect you to the LogOn page you have defined in the loginUrl attribute. It will also pass as a ReturnUrl query string parameter to this action which will be pointing to the originally requested url by the user and for which he was not authorized yet. This parameter could then be used to redirect him back to this page once he has authenticated.
Now the second case is a bit more difficult because since ASP.NET automatically redirects the request to the LogOn page you have no way of knowing inside your AJAX success callback that the user is not authorized and the server redirected the request to the LogOn page. Phil Haack wrote an excellent article on how you could prevent this redirect for AJAX request. I invite you to read this article now.
Alright, now that you have read the article and have installed his NuGet (Install-Package AspNetHaack), assuming you are using jQuery for your AJAX requests, you could subscribe to the .ajaxComplete() global event handler. Inside this handler you could test the server response code and if it is 401 it means that the user was not authorized. So you could act accordingly:
<script type="text/javascript">
$(document).ajaxComplete(function(event, xhr, ajaxOptions) {
if (xhr.status == 401) {
// the AJAX request failed because either the user was not
// authenticated or his session expired. So here you could
// do whatever you want. For example you could redirect him
// to the loginUrl defined in your web.config file:
window.location.href = '#FormsAuthentication.LoginUrl';
// you also have the possibility to show this logon form
// inside a popup or render it inline inside the page,
// by sending an AJAX request to this action and retrieving the
// corresponding partial
}
});
</script>
This configuration area is to configure server side behaviour, that happens when the server tries to handle a request where the session has expired. It is the result of a client -> server request for a page. As the client is a web browser and is by design disconnected from the server, you would have to include the logic you require in each page (probably in the main layout template) and then make AJAX calls at repeating intervals to the server to ascertain the user's session time-out state. The pop-up would also be handled on the client.
This area of configuration probably isn't going to help you reach your goal, I'd just remove the <forms> element altogether and look at solving the problem using AJAX calls to the server.
Here I am make one application which is fully remote based.
only once all js and css loaded. So I want need solution for session expired.
Means when ajax request come to controller, it will be authenticated first, for session if session expired then I want to redirect to login page relogin.
[EDIT - #Brad]
Let's try and clarify your requirement..
1) make request to server via Ajax
2) server responds with HTTP 401, not authorized
3) Ajax recognises 401 status and redirects to Login page
4) login success,
5) then old request executed. means step 1 request executes.
6) but I want dont want to execute that step-1 request but want to execute home page everytime.
One approach is to have your Client side AJAX code check for a HTTP 401 response code which means that your users session has timeout and they are no longer logged in.
Using JQuery...
$.ajax({
type: "post", url: "/SomeController/SomeAction",
success: function (data, text) {
//...
},
error: function (request, status, error) {
// look for status of 401 and redirect to login
}
});
Of course you just have to make sure your web app is returning the appropriate status codes. I found this article on the subject to be thought provoking.
There is also some good information on a similar question
[EDIT]
OK, from your updated question at step 3) this is occuring over an ajax request and I am expecting that your user does not see a login page because your ajax handling code will receive the 401 response and you can decide not to display it. You can then redirect the users browser to your login URL of choice. In this case you would redirect to the home page, or configure your login page to accept an additional URL parameter to tell it where you want the user to be sent to once they have logged in.
You could use a filter interceptor before the request comes on to your action every time.
A better way to do this is by using the apache-shiro authentication plugin available for grails.
See this : Apache Shiro Integration for Grails
Install this in your application and configure it. Its simple and takes care of most of your authentication requirements.