tags:

views:

152

answers:

2
+1  Q: 

Resuming session with an AJAX call

My app has a session timeout after 30 minutes. If the user has a "permanent login" feature activated, then on a subsequent HTTP request the server reads the "perm session" cookie and restores the session.

However, if the user does not reload or navigate to another page after his session expired, but rather clicks on a button that retrieves data via AJAX, the session is not resumed; in the DIV where the data was supposed to be loaded into, a login window appears instead.

This leads me to an assumption that AJAX calls do not carry cookie information with them. Am I correct, or have I missed something else?

Update:

backend: symfony 1.2 (PHP framework), frontend: Prototype

Update2: it was a bug in the application, not an issue with cookies

+1  A: 

An XMLHttpRequest call should carry cookie information like normal. You may be running into a bug. Are you ensuring the call is from the same domain origin?

Perhaps your cookies are also expiring? More info might help .. :)

Bartek  2009-10-24 12:22:54
I suspect a bug, yes.
Tomas Kohl  2009-10-24 12:43:04
+2  A: 

Sounds like you are restoring the session, but not providing a new auth cookie. You might want to try a technique that I've written about on my blog of having a client-side timer that will prompt the user right before the session times out and, when they click OK to renew it, will make a request that will serve to keep the session and authentication cookie alive. You can find more info at http://farm-fresh-code.blogspt.com. The article is titled Client-side Session Termination.

tvanfosson  2009-10-24 12:31:59
Great tutorial! I'd rather not have the "Hey, your session is about to expire" notice to pop up; I prefer when the session resumes transparently.
Tomas Kohl  2009-10-24 12:42:21
Just go ahead and make the request, then, instead of popping up the dialog. For security reasons I tend to want the session to expire if the user isn't sitting at their computer so I use the pop up and silently log them out if they don't respond within a reasonable amount of time.
tvanfosson  2009-10-24 12:48:23

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security