views:

981

answers:

1

In building a content management system that incorporates jquery ajax into it's GUI I have come across a hurdle. It seems that some customers spend too long thinking about what they are going to write and therefore the server session logs them out, naturally being the web they have no idea about this. When they attempt to submit the changes I use an ajax call to the server to save the data.

What I would expect to happen next is that the MVC server application would return a "401 Unauthorized" status. I could then get my jquery ajax object to ask the user to login and then resend changes once the user was authorized.

However, what is actually returned from the MVC application is a "302 Found" status and a redirect URL to my login form page. The login form page returns a "200 OK" status code and the jquery ajax object calls the success event that tells the user everything was successful because thats what the MVC application is saying.

Is there a way for me to get the MVC application to play the way I think it should or do I have to modify my jquery ajax events to detect the login page?

Update:

I've used reflector to have a look in the MVC code and the authorize attribute, return a NotAuthorizedResult the code for that is below (0x191 = 401)

public override void ExecuteResult(ControllerContext context)  
{  
    if (context == null)  
    {  
        throw new ArgumentNullException("context");  
    }  
    context.HttpContext.Response.StatusCode = 0x191;  
}

I'm thinking that maybe the Forms Authorization HttpModule is seeing the 401 and forcing the redirect.

+3  A: 

you could try something like this:

 void context_EndRequest(object sender, EventArgs e)
 {
  var app = sender as HttpApplication;
  var response = app.Response;
  var request = app.Request;

  if ((response.StatusCode == 302) && IsAjaxRequest(request))
   response.StatusCode = 401;
 }

in a HttpModule, it will be after the FormsAuth module in sequence so will correct the status code. Not pretty but effective.

Simon Farrow
In .Net 4.0 (maybe other versions too, I don't know), FormsAuthentication performs the redirect in the EndRequest handler. I found that FormsAuth hadn't processed the response if I used EndRequest, but using the PreSendRequestHeaders event worked a lot better (comes after EndRequest). Thanks for this great post.
womp