3

So I've got a Backbone application + web homepage. Right now, if you login to my website, I create a global object with your user details from the database. However, you can still just hit one of the routes in the application directly.

How should I handle users who are not "logged in" and redirect them to a "you must login page"?

Is this a standard operation? Basically, I have a REST url setup that returns just

{ sessionId: [php-session-id-here] }

If they are logged in, it would return something more like this:

{
  sessionId: [php-sess-id],
  userId: [user-id-from-db],
  firstName: [f-name],
  lastName: [l-name]
}

Ideas? Thanks!

JayC
  • 7,053
  • 2
  • 25
  • 41
tvpmb
  • 1,407
  • 2
  • 13
  • 18
  • This seems like a decent high-level overview: [login overview](http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=10&sqi=2&ved=0CGwQFjAJ&url=http%3A%2F%2Fblog.opperator.com%2Fpost%2F15671431847%2Fbackbone-js-sessions-and-authentication&ei=D_V5T9vdCtHQiAKp1PSFCw&usg=AFQjCNGtNFQhPMG3J7Qkwg9RK4U4LrE_4A) – tvpmb Apr 02 '12 at 19:03
  • http://stackoverflow.com/questions/5808655/backbone-js-handling-if-a-user-is-logged-in-or-not seems to be very similar (if not a duplicate) with a selected answer. – keif Apr 02 '12 at 19:14
  • I did read over this q/a already, and that's about as far as I've gotten. From what I can tell it seems like people are generally using their REST server to handle the "logged in" / "logged out" functionality. One question I still have though is if you go directly to a route that *should* be logged in, how would that be handled? Do I have to do the login check on every single route in that case? – tvpmb Apr 02 '12 at 19:27

3 Answers3

2

What I've done in the past is to include on every page along with jQuery (actually, added to the jQuery file) an extension on the AJAX method to check for a custom code that I send when a user isn't logged in. When that value was seen it redirected the user to the login page regardless of what was going down.

This was because that site had a time out on login, so a user could get logged out while sitting on a page and then the AJAX request would just fail. If you don't have a timeout on the login the odds of ever seeing this issue are slim. Just ignore requests that come from users that aren't logged in.

If you need help coding this, start here: Extending Ajax: Prefilters, Converters, and Transports.

Really shouldn't require anything as complex as pseudo-code:

  1. JS needs to do some AJAX, so JS talks to server
  2. PHP checks for login if needed
  3. If not logged in, send back the abort message (I used a converter to catch a "notLoggedIn" dataType. However this could also be done with a transport, they are just more complex.)
  4. JS sees the abort message and does a window.location redirect rather than return AJAX message.

If you want, you could load a lightbox with a login form and send that via AJAX to PHP where a re-login can take place, if you remember the AJAX attempt that failed you can send it again after login. Then the user doesn't even need to leave the page to log back in.

DampeS8N
  • 3,621
  • 17
  • 20
  • This approach is very interesting. If I extend the ajax method, then wouldn't it apply to all requests? I guess then I would need to also include some sort of flag on whether or not to check is the user is logged in? – tvpmb Apr 02 '12 at 20:12
  • Another option might be to split my BB application into 2 routers. 1 Router that is for logged in, one that is for non-logged in. Logged in would override the not-logged in router. – tvpmb Apr 02 '12 at 20:12
  • Actually no, you can let the PHP handle it. If the method doesn't require login, don't check and don't return the 'this fool ain't logged in' token. You'll be setting up all AJAX requests to be forced to honor your not logged rules. Nice, simple, and clean. – DampeS8N Apr 02 '12 at 23:37
  • DampeS8N, is there perhaps a quick/simple way you could write some pseudo-code for what you're suggesting. I'm having trouble wrapping my head around the concept still (I'm new to BB/JS Object Oriented), but I've been doing PHP for a decade. Either way I think you've got the best answer, so this Q goes to you! – tvpmb Apr 03 '12 at 01:00
  • Great, I think I got it. I'll experiment on this today!! Appreciate the help! – tvpmb Apr 03 '12 at 16:03
0

If you're using jQuery, you can set a global ajaxSetting that allows you to do certain things upon certain http codes. Some pages I read recommend adding to your JSON a url field to point to where to login, but I figure that's just up to you. So the only modifications you'd need to implement what I've mentioned is 1. change the http code to something reasonable like 401 (unauthorized) and implement the http code handler. But I wouldn't call this standard, I'd just say that's what several people have done (including myself).

JayC
  • 7,053
  • 2
  • 25
  • 41
  • I did consider implementing http codes on the REST server portion. That might ultimately be the cleanest setup. I'll have to see about resources that are open to all, versus ones that require you to be logged in. – tvpmb Apr 02 '12 at 19:05
0
<?php 
function IsLoggedIn()
{
    if(isset($_SESSION['id'])) // Change that to what you want
{
    return 1;
}
    else
{ 
    return 0; 
} 
}
?>

Then in your code, you could use something like: if(isLogged()){ header('Location: http://google.com'); }

Nathan
  • 534
  • 1
  • 5
  • 13
  • PHP isn't really the issue here, I'm more interested in how to do all of the logic on the BackboneJS side. Do you have any thoughts? – tvpmb Apr 02 '12 at 19:10