Password Confirmation Overlay
I'm creating a J2EE web application that uses jQuery and Ajax to help with some of the presentation for a user-friendly interface. I've done a lot of work ensuring security around persistant login cookies, and I've decided to request the password from any user that logged in using a persistant login cookie before being allowed to make any changes that could be malicious. This request would only happen once to confirm the user is who they say they are and will last throughout the session.
At present, any requests that meet this criteria has their request information stored in session and then the user is forwarded to a page to confirm their password. Once confirmed, the user's original request is then performed and the requestion information removed from session.
What I would like to do is avoid all this redirection and minimize what's held in session (even if it's just for a small time), thus improving usability and convenience for the user. I believe that a jQuery overlay could allow me to prompt the user for their password (if required) and then continue to submit the request if successful.
I would of originally used ThickBox, but since that's now deprecated I don't see the benefit in implementing it in an application at this development stage. How开发者_如何学JAVAever, I have tried to create an overlay using jQuery but I've scrapped every attempt as I can't seem to make it all come together. My main problem is preventing the submission when the user incorrectly types a password or cancels the overlay.
Desired Flow
Persistant Login > Sensitive Page > Submit > Password Confirmation Overlay > [Continue Submit | (Cancel | Incorrect]
I have already created JavaScript code to encrypt the password to be sent in a parameter, but all I need now is a method of controlling the overlay and how best to use Ajax for this purpose.
Please ignore the fact that this is a J2EE web application when answering as it is irrelevant really.
Thanks in advance,
Alasdair
Once you set the overlay up, you'll have to hook it into the submit (or any other action calls, if it's more ajax) action of your pages. So, if a user who is not authenticated submits something, your overlay will prompt for credentials.
Canceling the overlay can simply result in the original request being dumped. If the user does supply credentials, simply send it through ajax, verify server side and send in an appropriate response. Once you get the correct response you can simply trigger the original request that called for authentication.
Keep in mind though, you have to have your session checking code process on every request to the server. As jitter mentioned, any client side forms and submission can simply be bypassed.
精彩评论