0

I have a password protected website--imagine something like linkedin-- where if the session expires you are prompted to log in again.

Some pages have ajax calls, however, that load content from the server into divs.

If you come back to the open div after the session expires and try to enter something, the php on the other end does a redirect within the div, and basically loads the whole login page inside the div. This creates a page within a page, an obvious error that tells the user, the site is not working properly.

Instead of the login page appearing inside the open div, I would like the div to close and the whole page redirect to the login. I am having trouble accomplishing this, however.

Right now I am doing the password protection with an include that checks for session and either allows you to continue or bumps you out to the login page. 

If ($_SESSION['login'] != '1') {
header("Location: relogin.php"); }

I have this include in the scripts triggered by ajax calls to fill divs so users cannot bypass security. It is a catchall include that also holds some global variables, functions and so forth.

Can I add code that detects if call is coming from ajax or something so as not to do redirect and instead give message to login. Or ideally, close div and redirect whole page?

Because it is a large site, I would like to find one block of code that could go into the global include.

Would appreciate any suggestions.

user1260310
  • 2,229
  • 9
  • 49
  • 67

4 Answers4

0

You will need to do the redirect on the JS side.

Let's go over the PHP side first. You want to give your AJAX handlers a clear, unambiguous, stateful response: "sorry, you're not authorized". Let's borrow from REST a bit right?

Top of each of your AJAX calls:

<?php if (!YouAreLoggedIn()) {
header($_SERVER['SERVER_PROTOCOL']." 403 Forbidden");
exit(); ?>

This will throw the visitor a 403 error, and will kill the script. 403 errors in jQuery count as a XHR error, so you can map it independently of everything else.

Your typical AJAX call then becomes:

$.ajax({
  url: "your.url.here.php",
  type: "POST",
  success: function(d) { YourSuccessCallHere(); },
  error: function() { window.location.href='your.redirect.here.php'; }
});

This is the cleanest way to do it.

Sébastien Renauld
  • 19,203
  • 2
  • 46
  • 66
  • You'll need to adapt it, but yes, it'll work without jQuery. xmlHttpRequest has a .status variable - look for a 403 in that. – Sébastien Renauld Nov 18 '12 at 12:32
  • right now my generic redirect sits in include at very top of ajax calls and other scripts since I use this include for various global variables. To keep this structure, can I detect if page is being called normally or through ajax so as to redirect normally if just a page or using your code if an ajax call? – user1260310 Nov 18 '12 at 12:38
  • You sure can! There are tons of ways to do this, the easiest being passing a _GET parameter of some sort. Just call your.script.php?AJAX=1 for AJAX and then discern if $_GET['AJAX'] is set. There are more subtle ways, but this is the easiest, most direct. – Sébastien Renauld Nov 18 '12 at 12:40
0

You could differentiate the two different calls by User-Agent or other header fields.

Use setRequestHeader() as described in links below:

JQuery Ajax Request: Change User-Agent

http://www.w3.org/TR/2007/WD-XMLHttpRequest-20070618/#dfn-setrequestheader

Community
  • 1
  • 1
Leo
  • 56
  • 2
  • 2
0

You could add a GET variable to the request URL whenever you're calling it via Ajax:

myurl.php?ajax=Y

Then on myurl.php, check to see if it's an ajax call:

if(!isset($_SESSION['login']) || $_SESSION['login'] != '1') {
    if(isset($_GET['ajax'])){
        echo json_encode("Please login!");
        exit;
    }
    else{
        header("Location: relogin.php"); 
        exit;
    }
}
Wayne Whitty
  • 19,513
  • 7
  • 44
  • 66
0

Use the following header to check if the request was an AJAX request:

X-Requested-With: XMLHttpRequest

read the header in php using:

$_SERVER['HTTP_X_REQUESTED_WITH'];
Niko Sams
  • 4,304
  • 3
  • 25
  • 44