cbleek
commented
8 years ago This would solve the problem of expiring sessions.
@TiSiE @fedys : can you shortly discuss, how we should do this?
Closed fedys closed 8 years ago
cbleek
commented
8 years ago This would solve the problem of expiring sessions.
@TiSiE @fedys : can you shortly discuss, how we should do this?
fedys
commented
8 years ago use a jquery global event handler => check for a 403 HTTP => redirect to the http://yawik.org/demo/en/login with a meaningful message
TiSiE
commented
8 years ago There are two kinds of 403.
In the first case a redirect to login page DOES make sense, in the latter NOT.
On the server side, the two kinds can easily be distinguished (using ZF Auth), but on the client side (Javascript) it is not possible reliably.
Sending an addtional header in the response would solve this.
cbleek
commented
8 years ago If a user is not authenticated, we should return
401 Unauthorized
If a user is authenticated but not authorized to access a page, we should return a
403 Forbidden
Currently, we allways return 403.
TiSiE
commented
8 years ago :+1:
fedys
commented
8 years ago I was confused by returned 403 in browser's network activity panel in case of expired session. Of course, the XHR listener should check only 401.
Do you want me to implement the following tasks?: return 401 instead of 403 for NOT logged users attach the XHR listener and redirect to the login page
TiSiE
commented
8 years ago Go ahead! :smile:
It would be fine to attach a listener to all XHRs which checks for HTTP 403 response and then redirects a visitor to the appropriate page.