views:

876

answers:

5

I would like to determine whether or not the user is logged in or if they're just anonymous from javascript...

I found this question, but it's php code and I wasn't sure if there is a session variable called logged_in that gets stored on login or if that was just something that person had implemented himself.

Anyone know how I can check to see if the user is logged in from javascript, possibly using ajax?

Edit: I'm running Asp.Net MVC, sorry should have specified

This is so that I can implement a client-side ajax login. When the page loads, I need to know if the user is logged in or not so I can implement something similar to an <asp:LoggedInView> control using jquery.

Thanks,
Matt

+3  A: 

[DISCLAIMER] Since I've been getting so many comments from people about this being 'bad practice', I'm just going to say this: It IS bad practice to do it this way, but we don't know what the original poster is intending to do. For all we know, he's done everything else 100% correct and secure, and was just asking if there was a way to get at it from javascript. What I have done below is provided my best idea for how to accomplish what he has asked. [/DISCLAIMER]

You can have your php, or whatever backend language you're using, set a cookie that you can then read with javascript.

document.cookie

simple as that. You'll have to search the cookie string for the name of your logged in cookie.

You can also use that to set a cookie and do your logging in through javascript (though probably not the best idea.)

See here for a quick overview of javascript cookie access.

[edit]

To address the issue of a client script having access to session information, and the possible use of ajax suggested in the original question:

Yes, an ajax call would be a very easy way to check this. I'm more of a jQuery guy, so my ajax experience lies there, but basically, you'd do an ajax call to your backend function, and that backend function just checks the 'loggedin' session variable, returning a true or false.

Also, since you now mentioned that you're using jQuery, see this page for easy jQuery cookie access. [/edit]

idrumgood
I will not downvote because is technically correct but I should advice, this is probably WRONG!Client scripts shouldn't know anything about session, it must be trasparently handled server-side.
kentaromiura
You're correct, client script SHOULDN'T know about session stuff, but the original poster's question asks how to access the information from javascript, to the provided answer takes care of that.
idrumgood
Ok, but it remains wrong, if you're using cookieless authenticationthe only way is to see if the url has something in it.And if someone use a custom authentication mode (for example passing sessionID in a hidden field) neither this way can a good way to deal of.The correct thing to do is to load 2 different script, one for anonymous access and one for authenticated user.stop. btw, if the script show/hide important things for obvious security reason (and performance too) that part should be generated server side.
kentaromiura
Kent, the original question was not asking if javascript was the way to go when checking for a user login, nor did he ask how to handle security or any of that. Maybe he has a perfectly good reason for wanting to access this information from javascript. I just provided an answer for the question he asked.
idrumgood
This is definitely not the way to go. If you use Cookie to figure out whether user is logged in or not, you are opening up yourself to very easy attacks from a hacker. It's extremely trivial for the user to modify their cookie so that it looks like you are logged in. Please do not do this.
SolutionYogi
How come the Sys.Services.AuthenticationService has a get_loggedin() method to check if the user is logged in from javascript? How does that one work?
Matt
About your disclaimer:after the OP edit, he said he would something like this: http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.loginview.aspxI understood your motivation (that's why I don't downvote you ;) ) but even that, your solution is still incomplete, asp.net let's store session in url (cookieless) like php sessID. in that case you would find nothing in cookie. (we can exclude custom auth in this case, after the OP edits)And if the OP would do something like LoggedInView in javascript he is surelly doing something wrong ;)
kentaromiura
A: 

You can parse document.cookie.

Alsciende
+3  A: 

You can't read session saved data from JavaScript.

An easy way to do it is to create a JS var from PHP (easier than cookies solution), like this:

if ($_SESSION['logged_in'] == 1) {
    echo '<script type="text/javascript">var logged_in=true;</script>';
} else {
    echo '<script type="text/javascript">var logged_in=false;</script>';
}

Then the JS will simply check the native logged_in var to see if the user is logged in.

<script type="text/javascript">
    if (logged_in) {
        alert("My user is logged in!");
    }
</script>
Makram Saleh
If we're going to talk about bad practices (see all the comments on my answer) then this one suffers all the same downfalls. It's still a client side variable that is easily modified. However, as far as answering the original poster's question, this one is just as good.
idrumgood
+1  A: 

It hasn't any sense. If a user is logged in, you know it server-side. So you don't have to check if you're logged in client-side.

--EDIT :

After your clarification, I can only suggest to verify on the controller if the User is logged, if so you will show the normal view, otherwise you will show a different View.

-- EDIT added Aphorism:

Some people, when confronted with a problem, think “I know, I'll use ajax.” Now they have at least two problems

kentaromiura
+2  A: 

This is a solution usually implemented with server-side languages. With JS you, at least, could set in its client a cookie where store that information.

However with Ajax you should have a page (e.g. check_login.jsp/.apsx etc.) where to check if the user is logged (accessing to a DB, a Session variable etc.) and if so return back to JS (via JSON) that information and for example light a DIV with a green color...

So:

check_login.aspx--> return back the info via Response.Write("{user_logged:true}");

from login.aspx in your HTML code with JS you'll have an AJAX call where your xmlhttp is already an instance of XMLHttpRequest object...

var logged = JSON.parse(xmlhttp.responseText); // don't use eval
if(logged.user_logged)
document.getElementById("u_l").style.backgroundColor = "#00FF00";
xdevel2000