auth.requires_login redirect and session expiration
192 views
Skip to first unread message
DenesL
Oct 6, 2015, 1:50:04 PM10/6/15
to web...@googlegroups.com
Hi
an expired session becomes empty but this does not seem to always trigger auth.requires_login redirection to the login URL neither when set via auth.requires_login(loginURL), aka the otherwise parameter, nor by auth.settings.on_failed_authorization = loginURL when XMLHttpRequest (XHR) is used.
Actually the otherwise parameter is superfluous in this case.
Status 401 UNAUTHORIZED with response
<div class="not-authorized alert alert-block"><h4>NOT AUTHORIZED</h4>Please <a href="">login</a> to view this content.</div>
but that is never seen since I am using www.idangero.us/framework7 , which loads all links with Ajax by default, does not refresh the page.
So this probably happens because the call is being treated as a component by web2py.
I can get around this by defining the links as external in framework7 but I wonder if it would not be better to have a way to tell web2py to redirect when the session has expired even when using Ajax calls.
Thanks,
Denes
an expired session becomes empty but this does not seem to always trigger auth.requires_login redirection to the login URL neither when set via auth.requires_login(loginURL), aka the otherwise parameter, nor by auth.settings.on_failed_authorization = loginURL when XMLHttpRequest (XHR) is used.
Actually the otherwise parameter is superfluous in this case.
Status 401 UNAUTHORIZED with response
<div class="not-authorized alert alert-block"><h4>NOT AUTHORIZED</h4>Please <a href="">login</a> to view this content.</div>
but that is never seen since I am using www.idangero.us/framework7 , which loads all links with Ajax by default, does not refresh the page.
So this probably happens because the call is being treated as a component by web2py.
I can get around this by defining the links as external in framework7 but I wonder if it would not be better to have a way to tell web2py to redirect when the session has expired even when using Ajax calls.
Thanks,
Denes
DenesL
Oct 7, 2015, 12:13:04 PM10/7/15
to web2py-users
Original post edited with new info.
Leonel Câmara
Oct 7, 2015, 12:42:08 PM10/7/15
to web2py-users
This should fix it:
auth.settings.client_side=TrueYou may want to set login_next too.
DenesL
Oct 7, 2015, 1:28:12 PM10/7/15
to web2py-users
Thanks for your reply but those setting do not fix the issue, maybe because it is not a web2py component.
Leonel Câmara
Oct 7, 2015, 1:41:57 PM10/7/15
to web2py-users
That's weird it should fix it anyway because all that setting does is make sure the redirect is made using javascript on the client side.
Are you sure the setting is being applied before the auth.requires_login() decorator runs?
DenesL
Oct 7, 2015, 2:46:35 PM10/7/15
to web2py-users
Links on the client trigger XHR calls already.
I had those settings in a model so I am pretty sure they were set before any controller code.
DenesL
Oct 9, 2015, 1:22:52 PM10/9/15
to web2py-users
Changing
to
in gluon/tools/Auth class/requires function (line 3749 in release 2.12.03)
seems to solve the problem since it verifies it is a component before raising a 401, else it follows the "otherwise" or auth.settings.on_failed_authorization redirect (which I am using).
Denes.
if current.request.ajax:
raise HTTP(401, self.messages.ajax_failed_authentication)
to
if current.request.ajax and current.request.cid:
raise HTTP(401, self.messages.ajax_failed_authentication)
in gluon/tools/Auth class/requires function (line 3749 in release 2.12.03)
seems to solve the problem since it verifies it is a component before raising a 401, else it follows the "otherwise" or auth.settings.on_failed_authorization redirect (which I am using).
Denes.
Massimo Di Pierro
Oct 9, 2015, 11:26:42 PM10/9/15
to web2py-users
Shouldn't we always return 403 is ajax?
DenesL
Oct 10, 2015, 8:35:50 AM10/10/15
to web2py-users
Status 401 is more appropriate since session has expired and the user is not authenticated.
Ajax or no ajax.
But we should return 403 when the user is authenticated and the request authorization fails for a component.
Do you agree with the following table?.
USER = is authenticated
COMP = current.request.ajax and current.request.cid
RCR = raise or call/redirect
USER COMP RCR
F F 401/otherwise
F T 401
T F 403/otherwise
T T 403
DenesF T 401
T F 403/otherwise
T T 403
Massimo Di Pierro
Oct 11, 2015, 12:51:58 PM10/11/15
to web2py-users
I agree
Reply all
Reply to author
Forward
0 new messages