Re: AJAX and HttpSession

Mon, 18 Sep 2006 07:33:32 -0700 

Hello.
Maybe it would make sense to monitor the http dialog between server and browser, to see if the authentication headers get sent from the browser with the XMLHttpRequest, and if they were obtained by the browser during the previous request - the one for the content filling the window from where the XMLHttpRequest is sent. 


What we found out with an exotic web server is that even if you do a call  
to the server and send the authentication headers, the server won't send  
them back unless the resource you request requires authentication (I  
dunno, maybe that's in the spec, but it's odd). So if you have a window  
displaying a resource requiring authentication, then open a new one, from  
Javascript, which displays content not requiring authentication, then  
issue an XMLHttpRequest from this second window, it is possible that the  
XMLHttpRequest will not contain the authentication headers by default. If  
this is your problem, I can't see any other solution than making the  
resource from within which you send the XMLHttpRequest a protected one,  
for wich authentication is required.



In case you wonder, Ethereal is a free and nice traffic sniffer, which we  
used to diagnose such problems.


br,

--
Florin Jurcovici
------------------
Why do psychics have to ask you for your name?


On Mon, 18 Sep 2006 16:41:23 +0300, Amit Shinde <[EMAIL PROTECTED]>  
wrote:



Hello,
        I was wondering if anyone has played with AJAX. I want to call a OFBiz
service by making an XMLHttpRequest. I have a RequestHandler that is

supposed to process this request. The problem I am facing is of  
HttpSession.

Even though I am logged in, I get userLogin, dispatcher and delegator

attributes null. Is there a way where we can get our HttpSession  
attributes

from XMLHttpRequest. Do we need to do any special thing or is this just a
limitation?


	Without a valid HttpSession, I obviously cant run the service unless I  
pass
userLoginId in the XMLHttpRequest and get UserLogin value through  
delegator.

This approach will pose a security hazard nonetheless.

        Any insight will be appreciated.


Thanks in advance,

Amit Shinde
































					Reply via email to