jquery $.get with auth expired: gets the login screen in popup

the problem is that if the auth cookie has expired and the user clicks on a link that s开发者_StackOverflow中文版hould open a popup using $.get than i get the login screen in the popup (same masterpage in another masterpage) instead of redirecting the whole page to the login screen

anybody knows how to fix this ?

When you make a request after your login session has expired ASP.NET will automatically do a 302 redirect to your login action instead of returning a 401 "Unauthorized". The browser will quietly follow the redirect (even during an AJAX request) and make a second request to bring down the login page. There's no way that I am aware of to detect or prevent this redirect in Javascript and there's no way of prevent the redirect server-side without reimplementing the entire FormsAuthenticationModule.

However, jQuery inserts an HTTP header

X-Requested-With=XmlHttpRequest

when making Ajax calls. The Request.IsAjaxRequest() method in ASP.NET MVC can be used to detect the presence of this header.

What we do in our site is put

if (Request.IsAjaxRequest()) { return new HttpUnauthorizedResult(); }

into our /auth/login action so that a 401 error is returned instead of the login page HTML if /auth/login is called during an AJAX call. We then detect the 401 in Javascript and redirect to the login page manually.

Unfortunately Firefox (as of 3.5) and Opera (as of ~9.something) do not maintain the X-Requested-With header in the second request after a redirect, so IsAjaxRequest() returns false in this situation when these browsers are being used. This wasn't a big issue for us but its something to keep in mind.

ASP.NET MVC has the following property on it's Request object:

Request.IsAjaxRequest()

This will (amongst other things) checks for the existence of the X-Requested-With header, and a value of XMLHTTPRequest. Checking this, along with checking for IsAuthenticated would allow you to modify your response appropriately.

What you do then is up to you:

1. Display a message to the user in the pop-up requesting that they log in again.
2. Handle the response and perform a redirect as per Pekka's recommendation.

I don't know what you do with the results of your $.get operation but you could do one of the following:

• Detect when your page is called through Ajax, and return a graceful error message

• Detect when your page is called through Ajax, and return a piece of JavaScript to redirect the whole page to the login page (location.href=...)

Check out this question (the 2nd answer, preferably, mentioning the header) to find out how to detect whether a call was made using AJAX.

If the server has redirected you to a different login page, then you could check for the response headers (assuming they're being set) in your ajax callback, and see if the http status code is 3xx. If it is, do a manual redirect.

The $.get call returns an XMLHTTPRequest object and the property to check in that object is status, or make use of the low-level $.ajax instead of $.get.

Checkout this question for more approaches. Can't you change the response headers/status code when sending back the PartialView?

I might recommend an approach similar to what is described here: http://developer.fellowshipone.com/patterns/#_logout_counter

Basically, inform the user their session is going to expire via a countdown. As soon as the session expires immediately redirect to the login page.