Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

login flow could be improved #205

Open
kmccurley opened this issue Nov 23, 2019 · 1 comment
Open

login flow could be improved #205

kmccurley opened this issue Nov 23, 2019 · 1 comment
Labels
enhancement priority: medium

Comments

@kmccurley
Copy link
Member

The way web login works is that both the client and the server have state that they use to maintain the login session. The server currently uses PHP session, which may be garbage collected at any time. Inside this session the server has access to the userid and username of the user. The client has a PHPSESSION cookie that is simply a key used by the server. When this key is sent to the server, the server can lookup the session and validate the state. The session may expire at an indeterminate time, since the server is in control of this (actually the server has two parts - when the cookie is set and when the garbage collection runs).

I propose that we do the following:

  1. start using both a PHPSESSION cookie and a program-editor cookie. The latter will store the userid/username that the server also stores in the session.
  2. When the client starts up, it should check for both the PHPSESSION cookie and the program-editor cookie. If both are present, then the client should assume that the session is valid until demonstrated otherwise by a 401 from the server.
  3. The client should never check the login unless it is performing some action with the server such as looking up the list of programs or saving a program or deleting a program. If it ever gets a 401 in response to an ajax, it should show a modal to force the login again. This means that the previous action generating a 401 would have to be reissued after login is successful.
  4. because ajax actions may result in a 401 from the server, modals such as deleteProgramModal should be careful to handle this and show an option to login again. This would close the current modal and open the login modal.
@kmccurley
Copy link
Member Author

This turns out to be complicated, because ajax.php needs to send a 401 if the authentication is invalid or missing, but this needs to happen before sending the Content-Type header. Then the client editor.js needs to be able to detect a 401 and show the modal. The ajax calls in editor.js need to check xhr.status to correctly handle errors.

@kmccurley kmccurley mentioned this issue Oct 23, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement priority: medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kmccurley