Unauthorized Ajax Handler for Asp.net MVC
Requirements
I need respond to users that they are unauthorized, and I need it to not return a redirect to them from a ajax call which Asp.net MVC does by default. A even better solution would be that I also do not force users to refresh page they are currently on and instead give them the ability to re-login via ajax on that current screen. This would allow users to save any information they are currently working on. I should warn the user that it they are no longer logged in and if possible prompt them and within that same prompt allow them a way to login back in all without refreshing or a redirect. For now I'm going to just focus on the first problem which is suppressing Asp.Net's default behavior with unauthorized calls and do this just for Ajax calls.
Solution - Thanks to Joe Harrison for missing pieces!
//C# code override an Authorization Attribute create a customized one.
protected virtual void HandleUnauthorizedRequest(AuthorizationContext filterContext)
I need respond to users that they are unauthorized, and I need it to not return a redirect to them from a ajax call which Asp.net MVC does by default. A even better solution would be that I also do not force users to refresh page they are currently on and instead give them the ability to re-login via ajax on that current screen. This would allow users to save any information they are currently working on. I should warn the user that it they are no longer logged in and if possible prompt them and within that same prompt allow them a way to login back in all without refreshing or a redirect. For now I'm going to just focus on the first problem which is suppressing Asp.Net's default behavior with unauthorized calls and do this just for Ajax calls.
 |
| An Example I can see while using Blogger |
Solution - Thanks to Joe Harrison for missing pieces!
//C# code override an Authorization Attribute create a customized one.
protected virtual void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.HttpContext.User.Identity.IsAuthenticated)
{
filterContext.Result = new HttpStatusCodeResult(403, "Forbidden");
}
else
{
// Returns HTTP 401 - Assuming they losted access while on the proper page.
filterContext.Result = new HttpUnauthorizedResult();
//This solution will only work on Asp.net 4.5 and update!
if (filterContext.HttpContext.Request.IsAjaxRequest())
{
filterContext.HttpContext.Response.SuppressFormsAuthenticationRedirect = true;
}
}
}
For the Future
Using AjaxError() Method you could create a general case for handling error with all unauthorized cases but the question I have for myself is will this be a good thing to make an assumption that all errors are unauthorized cases? Probably not else what about errors on a request? This becomes a bigger question of what should I be returning for error requests from the middle tier. I'll start on these questions before I go on implementing the Ajax Error Handler but I should also see what happens if the Ajax call itself has it's own error function as well. Will this function override the general case one or will they both take action? I believe they both will take action but I should test and see.
Update
Might do something like this: jQuery: How to get the HTTP status code from within the $.ajax.error method? - Stack Overflow
Resources
Prevent Forms Authentication Login Page Redirect When You Don’t Want It - You've Been Haacked
asp.net - How do you handle ajax requests when user is not authenticated? - Stack Overflow
jQuery.ajax() | jQuery API Documentation
HttpResponse.SuppressFormsAuthenticationRedirect Property (System.Web)
AuthorizeAttribute Class (System.Web.Mvc)
.ajaxError() | jQuery API Documentation
List of HTTP status codes - Wikipedia, the free encyclopedia
AjaxRequestExtensions.IsAjaxRequest Method (System.Web.Mvc)
Handle Ajax request with expired forms authentication, in MVC ajax.form | MVC Diary
Using AjaxError() Method you could create a general case for handling error with all unauthorized cases but the question I have for myself is will this be a good thing to make an assumption that all errors are unauthorized cases? Probably not else what about errors on a request? This becomes a bigger question of what should I be returning for error requests from the middle tier. I'll start on these questions before I go on implementing the Ajax Error Handler but I should also see what happens if the Ajax call itself has it's own error function as well. Will this function override the general case one or will they both take action? I believe they both will take action but I should test and see.
Update
Might do something like this: jQuery: How to get the HTTP status code from within the $.ajax.error method? - Stack Overflow
Resources
Prevent Forms Authentication Login Page Redirect When You Don’t Want It - You've Been Haacked
asp.net - How do you handle ajax requests when user is not authenticated? - Stack Overflow
jQuery.ajax() | jQuery API Documentation
HttpResponse.SuppressFormsAuthenticationRedirect Property (System.Web)
AuthorizeAttribute Class (System.Web.Mvc)
.ajaxError() | jQuery API Documentation
List of HTTP status codes - Wikipedia, the free encyclopedia
AjaxRequestExtensions.IsAjaxRequest Method (System.Web.Mvc)
Handle Ajax request with expired forms authentication, in MVC ajax.form | MVC Diary