Ajax: Is it the end of the session as we know it?
One of the things that some developers are throwing out the window when using Ajax is the basic concept of session management. Now a session is a good thing when we are talking about secure data! Session logs us out automatically after a set period of time when we forget to log out of a page when we leave to use the toilet. If we forget to lock our workstation anyone can access the information. I do not want my employer seeing all of those responses to my resumes I sent out for Ajax jobs. (Hopefully my employer does not read my blog! - LOL - If they do, give me a raise and I may stay.)
Ah, I need to get back on track. Session is one of those things that needs to be in an application to make sure the person using the application is that person. Now what is the problem with Ajax and session? Let us look at an Ajax application and see what the problem is and the solutions that we can come up with.
The sample application I want to talk about is a Ajax based stock ticker that grabs stock data to display every 2 minutes. This Ajax application seems to be on the popular side of Ajax scripts now on some major Web sites. Let’s say that this stock ticker hits a server side page to make a request. The server side page, in return, is generating a dynamic XML document containing the stock data. Since we are posting data to the server, it is renewing our session each time we make a request. Now that means every 2 minutes, when the ticker is updated, it is telling the server that we are still there. But I could be in my other office with my pants around my ankles reading the sports section of the local paper on how the Giants killed the Redskins on Sunday! Now, how can we stop this renewing of the session?
One way of doing it to call an XML page that is created dynamically by some other server side process. Calling the XML file does not renew our session! But that really stinks if we need to have the stock data customized to our needs. I do not care about QWERTY stock, I care about ASDFGH stock. So how can we keep session management in the picture while using the server to customize our data based on our preferences and current session state? Well you could generate a custom XML file for every user if you do not mind managing 100,000,000 XML files. Instead of that crazy solution, you can build a parameter into your session management that we can monitor.
This parameter is a simple date timestamp variable that is set each time the user makes a request to the server. Now I highlighted the word user since that is the action that we know has to control our session. With an Ajax request, we do not update this user session variable. Therefore whenever a user action makes a request we need to check to see if the session is still valid by the date. Yes this method stinks, but this is the only real secure way of maintaining security while using session and other parameters that are relevant to our user.
If anyone else can come up with another solution to this problem, I would love to hear it.
Eric Pascarello
Moderator of HTML/JavaScript at www.JavaRanch.com
Author of: JavaScript: Your Visual Blueprint for Dynamic Web Pages