views:

32

answers:

1

Hello,

I'm creating a J2EE web application that uses jQuery and Ajax to help with some of the presentation for a user-friendly interface. I've done a lot of work ensuring security around persistant login cookies, and I've decided to request the password from any user that logged in using a persistant login cookie before being allowed to make any changes that could be malicious. This request would only happen once to confirm the user is who they say they are and will last throughout the session.

At present, any requests that meet this criteria has their request information stored in session and then the user is forwarded to a page to confirm their password. Once confirmed, the user's original request is then performed and the requestion information removed from session.

What I would like to do is avoid all this redirection and minimize what's held in session (even if it's just for a small time), thus improving usability and convenience for the user. I believe that a jQuery overlay could allow me to prompt the user for their password (if required) and then continue to submit the request if successful.

I would of originally used ThickBox, but since that's now deprecated I don't see the benefit in implementing it in an application at this development stage. However, I have tried to create an overlay using jQuery but I've scrapped every attempt as I can't seem to make it all come together. My main problem is preventing the submission when the user incorrectly types a password or cancels the overlay.

Desired Flow

Persistant Login > Sensitive Page > Submit > Password Confirmation Overlay > [Continue Submit | (Cancel | Incorrect]

I have already created JavaScript code to encrypt the password to be sent in a parameter, but all I need now is a method of controlling the overlay and how best to use Ajax for this purpose.

Please ignore the fact that this is a J2EE web application when answering as it is irrelevant really.

Thanks in advance,

Alasdair

A: 

Once you set the overlay up, you'll have to hook it into the submit (or any other action calls, if it's more ajax) action of your pages. So, if a user who is not authenticated submits something, your overlay will prompt for credentials.

Canceling the overlay can simply result in the original request being dumped. If the user does supply credentials, simply send it through ajax, verify server side and send in an appropriate response. Once you get the correct response you can simply trigger the original request that called for authentication.

Keep in mind though, you have to have your session checking code process on every request to the server. As jitter mentioned, any client side forms and submission can simply be bypassed.

jomanlk
Thanks for your response, and I had that logic in my head already. What I'm really looking for is a skeleton method of how to accomplish this. I'm struggling to find any decent examples of jQuery's overlay with this sort of usage in mind. Can you provide some sort snippets of code of how this could be implimented. I generally use jQuery for it's base framework (selectors etc.) and not the UI elements, so my experience with jQuery in this area is limited.
Alasdair
This is what you'd use mostly http://jqueryui.com/demos/dialog/ But even with that, there would be two more methods you'd have to code on your own. One method would hold any requests and trigger the login if required and the other method would be the one that the login box (dialog box) would trigger in turn to indicate that the request should go through. Look at the code for this : http://jqueryui.com/demos/dialog/modal-form.html Just modify the "Create an Account" button of the 'buttons' option to whatever you need (response checking and submitting the request)Hope I made sense :)
jomanlk