如何妥善处理Ajax调用的登录到期? [英] How to gracefully handle login expiration for an Ajax call?

问题描述

我的Web应用程序由对服务器端RESTful APIs的许多Ajax调用组成.每次客户登录我的网站时，登录页面都会从服务器获取JWT(JSON Web令牌)令牌，并将其存储为客户端上的cookie. (我选择将其存储为cookie，因为它是让浏览器自动发送它的唯一方法，并且据说它比HTML5 Web存储更安全.)令牌中有一个字段描述令牌的到期日期.对于每个Ajax调用，都会发送令牌以进行身份​​验证.

My web application is made up of a lot of Ajax calls to server side RESTful APIs. Each time a customer login my site, the login page will get a JWT (JSON Web Token) token from server and store it as a cookie on client side. (I choose to store it as cookie because it is the only way to let the browser send it automatically and it is said to be safer than HTML5 Web Storage). There's a field in the token describing the token's expiration date. For each Ajax call, the token is sent along for authentication.

如果客户在我的页面上停留了很长时间，令牌可能会过期.当客户端发出下一个HTTP请求(不仅是REST调用)时，服务器将检测到它.我使用servlet filter拦截all HTTP请求并检查令牌是否到期.如果令牌已过期，则会发送重定向到登录页面响应.

If client stays on my page for long, the token can expire. And the server will detect it when client making the next HTTP request (not just REST call). I use a servlet filter to intercept all HTTP requests and check the token for expiration. If the token expired, a redirection-to-login-page response will be sent.

但是上述方法存在一个问题:如何在客户端优雅地处理重定向到登录页面的响应?"

But there's a problem about the above approach: "How to gracefully handle the redirection-to-login-page response on client side?"

• 对于non-Ajax发起的HTTP请求，我可以依靠浏览器来处理重定向到登录页面的响应，并使页面自动跳转.

• For non-Ajax originated HTTP request, I can rely on browser to handle the redirection-to-login-page response and make page jump automatically.

对于Ajax发起的HTTP请求，似乎我需要向each ajax调用的completion handler添加额外的逻辑以检测重定向到登录页面的响应，并且imperatively使页面跳转.

For Ajax originated HTTP request, it seems I need to add extra logic to each ajax call's completion handler to detect the redirection-to-login-page response and imperatively make the page jump .

还是我完全走错路了?

一些裁判:

JWT(JSON Web令牌)自动延长有效期

我应该为API使用哪种身份验证策略? /a>

Which authentication strategy should I use for my API?

隐含&显式身份验证

添加1:

似乎浏览器将透明地处理302重定向. 所以也许我可以将302重定向返回到登录页面，无论是进行ajax调用还是访问普通页面.我将在稍后尝试答复.

It seems the browser will handle the 302 redirection transparently. So maybe I can just return a 302 redirection to the login page, be it for a ajax call or a plain page visit. I will try and respond later.

从此处:

如果响应是HTTP重定向(状态代码301、302、303或 307)，则必须透明地遵循(除非它违反了 安全性或无限循环预防措施).任何其他错误(包括 401)必须使对象使用该错误页面作为响应.

If the response is an HTTP redirect (status code 301, 302, 303 or 307), then it MUST be transparently followed (unless it violates security or infinite loop precautions). Any other error (including a 401) MUST cause the object to use that error page as the response.

在JavaScript中捕获302

如何在之后管理重定向请求jQuery Ajax调用

推荐答案

正是由于这个原因，当令牌过期时，Web API不应使用302 redirect进行响应，而应使用401 unauthorized进行响应.

For exactly this reason, web APIs should not respond with 302 redirect, but with 401 unauthorized when the token has expired.

Web应用程序应该返回302响应，因为它们总是像浏览器一样被代理消费.有关更多信息，另请参见我的回答此处.

Web applications should return 302 responses as they are always meant to be consumed by browser like agents. For more information see also my answer here.

这篇关于如何妥善处理Ajax调用的登录到期?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！