Closed fedys closed 8 years ago
This would solve the problem of expiring sessions.
@TiSiE @fedys : can you shortly discuss, how we should do this?
use a jquery global event handler => check for a 403 HTTP => redirect to the http://yawik.org/demo/en/login with a meaningful message
There are two kinds of 403.
In the first case a redirect to login page DOES make sense, in the latter NOT.
On the server side, the two kinds can easily be distinguished (using ZF Auth), but on the client side (Javascript) it is not possible reliably.
Sending an addtional header in the response would solve this.
If a user is not authenticated, we should return
401 Unauthorized
If a user is authenticated but not authorized to access a page, we should return a
403 Forbidden
Currently, we allways return 403.
:+1:
I was confused by returned 403 in browser's network activity panel in case of expired session. Of course, the XHR listener should check only 401.
Do you want me to implement the following tasks?: return 401 instead of 403 for NOT logged users attach the XHR listener and redirect to the login page
Go ahead! :smile:
It would be fine to attach a listener to all XHRs which checks for HTTP 403 response and then redirects a visitor to the appropriate page.