Can I call the server to set a new cookie with an AJAX request (that is, after the page has already loaded)?
For example, when a visitor hits a link, ajax would open a php file that sets a new cookie like this:
setcookie('cookiename', 'true', time()+3000, "/",'...');
But this is done after the html (the page containing the actual <a> tag pressed) was rendered. Is it nevertheless ok to set cookies in ajax? (maybe because the php file loaded is separate from the original html page).
You can have the server's response set a cookie, certainly. Remember that cookies are an HTTP thing, not an HTML thing; the fact that your original HTML file is already on the browser is irrelevant. Your ajax request is a separate HTTP request to the server, which (hopefully!) generates an HTTP response back to the browser; and that response can include a new Set-Cookie header.
I'm not a PHP person, you'll need to check that there are limitations in the PHP mechanism you're using for setting the cookie (I can't imagine there are). But fundamentally, no, there's no problem doing this. I've done it with both JSPs and classic ASP.
I've set cookies in the response to AJAX requests on my site and I haven't had any problems with it yet. (Although I haven't looked for problems.) It could be that some browsers don't set cookies when receiving them in an XmlHttpRequest but so far I've seen it work in IE, Chrome and Firefox.
Why not use javascript to edit cookies? Return the content of the cookie in JSON format and use javascript to store the values.
Related
I use ajax request beside pushing history state to load new content and update the entire page. At the server the X-Requested-With header is used to decide to send the full page or just the content. But it seems chrome tends to use the cache no matter it's loaded with ajax or normal request (it doesn't respect headers when checking the cache).
The problem happens when I open a site page, I click a link to navigate to a new page using ajax then navigate to a new page by entering the url in address bar. When I hit back the ajax cached version (no matter it's html or json) is shown instead of full page. When the cache is disabled everything works fine.
Is there any way to force chrome respect the request headers when checking the cache?
After some research I found out that browsers tend to cache responses base on Request Method as well as URL. So they won't consider any request headers when checking the cache by default. But it's possible to force the browser to respect some headers when checking the cache by using Vary header.
So by adding this header (Vary:X-Requested-With) to each response that changes based on X-Requested-With request header, server is telling browser that this response may vary if your X-Requested-With header is changed and you must request a new response.
I use tomcat's form based authentication on a webapp which use most of the time ajax call.
The configuration of the realm is pretty well documented, and it's working.
My problem begin when the user's session is ended, for any reason.
The subsequent ajax call will have a 200 ok response, with the content being the login page.
I'm looking for a way to change the beavaior of tomcat, like sending a 401 instead of hiding the content, forcing a client redirect, or any other solution that let the JS script know that the session is over and authentication is required once again.
After reading this http://www.htmlcodetutorial.com/document/index_tagsupp_13.html, I tried to add some custom header with http-equiv meta tag in my html login page.
But it doesn't work as expected. It seams that tomcat doesn't read static content in order to add headers.
I should also mention this post:
http://blog.pengoworks.com/index.cfm/2007/10/9/Expiring-Session-via-AJAX-using-HTTP-Response-Headers
What i end up doing is, on the js side, scan start of every response using a short regexp like this:
/^<!DOCTYPE html>/.test(responseBody)
It works, but take extra time for every request.
It only work because i know that i never use html as answer from the server.
Is it possible to change the HTTP_REFERER value in VBScript? To avoid XSS attacks I am using CSRF data in my links. But when I am linking the user to an external website, this CSRF data could be caught by the destination webpage if they are checking the HTTP_REFERER.
So I read you should put an intermediate page in between, which will redirect to the desired page. So I tried creating a page named RedirectPage.asp which takes the URL as a parameter and does a Server.Redirect. But if I would click an external link on pagex.asp?CSRF..., the final HTTP_REFERER I catch is still pagex.asp.
So is there a way to "clean up" my REFERER header?
Thanks!!
By using a meta redirect instead of a redirect header, you can alter the referrer in Firefox and IE, but not Chrome, as mentioned here: https://stackoverflow.com/a/2985629/160565
You can consistently clear (not change, but eliminate) the http_referer by redirecting through an SSL page however.
To save yourself a redirect, you could also check for browsers that support the rel="noreferrer" html5 attribute and use that instead in those cases. I believe currently that's just webkit browsers.
http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#link-type-noreferrer
I have a page with a middle ajax frame. This frame does a lot of requests. Last 2 requests are always this:
Last-1) Request GET page with url www.mysite.com/page1.php and the page response have always a text with "true" or "false".
Last) POST request with url www.mysecondsite.com/page2.php and the page response is empty.
I need to write an extension that reads if last-1 request is True or False and do something when last request is finish.... I tried use chrome.webRequest library but it didn't work...
How can I do this?
Edit: I know this, but I don't want script to do the request... Request are done by page because site need do some operation. I only need an extension to read this request.... but don't do it!
Edit2: I don't want to modify code on page.... I want only to check the response of this page (tab) at some AJAX request. I cant do ajax request or modify script.. only read response, is this possible?
You could make request to other sites using XMLHttpRequest object.
Chrome extension tutorial
Depending on how complex it is you could try replacing the function on the page that does the request with a copy that does the same but also sends the info to your extension.
Its hard to give advise without seeing the page in question.
It's well known that Internet Explorer aggressively caches ajax calls whereas all the other browsers grab the data fresh every time. This is usually bad: I've never encountered a case where I want ajax to NOT contact the server. Firefox, Safari and the other browsers know this and don't cache ajax calls.
To prevent IE from caching, you have to do one of the following:
add a cache-busting token to the query string (like ?time=[timestamp])
send a HTTP response header that specifically forbids IE to cache the request
use an ajax POST instead of a GET
I much prefer setting a no-cache header. It's the correct way: it tells all browsers not to cache, which is exactly what you intend. The query string method fills up the browser's cache with stuff that'll never be retrieved, leaving less room for legitimate cache content. And the POST method is a corruption of HTTP: POSTs are for modifying data.
In Grails, what's the best way to automatically send a do-not-cache header for all ajax requests? I don't want to modify any controllers, so I'm thinking there's got to be a cool filter trick or something.
Thanks!
Here's what I finally figured out. Most javascript libraries --including jQuery, YUI, Mootools and Prototype -- send the X-Requested-With: XmlHttpRequest header on every ajax request.
For any request that sends this header, you can send a response header back that tells it to not cache.
Below is a Grails filter that prevents caching of ajax requests that identify themselves with the X-Requested-With: XmlHttpRequest header:
// put this class in grails-app/config/
class AjaxFilters {
def filters = {
all(controller:'*', action:'*') {
before = {
if (request.getHeader('X-Requested-With')?.equals('XMLHttpRequest')) {
response.setHeader('Expires', '-1')
}
}
}
}
}
Some people prefer to use the Cache-Control: no-cache header instead of expires. Here's the difference:
Cache-Control: no-cache - absolutely NO caching
Expires: -1 - the browser "usually" contacts the Web server for updates to that page via a conditional If-Modified-Since request. However, the page remains in the disk cache and is used in appropriate situations without contacting the remote Web server, such as when the BACK and FORWARD buttons are used to access the navigation history or when the browser is in offline mode.
By adding this filter, you make Internet Explorer's caching consistent with what Firefox and Safari already do.
BTW, I've experienced the caching problem on IE8 and IE9. I assume the problem existed for IE7 and IE6 as well.
We use jQuery for all ajax calls so we add this block to our main.gsp (top-level layout):
<g:javascript>
jQuery(document).ready(function() {
$.ajaxSetup({
cache:false
});
});
</g:javascript>
Also answered here