Classic ASP JQuery AJAX not maintaining session

6
votes

I'm building a system using JQuery and AJAX calls to classic ASP pages which handle the server stuff.

This system requires a user to be logged in. I'm using the session to store the username.

The problem is that the session times out after the default 20 mins and users are being redirected to the sign in page. I'm assuming that for some reason the AJAX calls are not maintaining the session.

Here's how I'm doing things:

When the user logs in I post an AJAX call as follows:

$.ajax({ 
    type: "POST", 
    url: "admin/ajax/signin.asp",
    data: { 
        'username': username,
        'userpassword': userpassword
    },
    cache: false,
    success: function(data, textStatus, jqXHR) {  
        if (jqXHR.getResponseHeader('REQUIRES_AUTH') === '1'){
            $('#failed').show();
        }
        else {
            location.href = "admin/"
        }
    }
});

signin.asp checks the users details against the database, if ok this page stores the username in a session variable.

Session("userid") = Request("username")

The user is now logged in.

Whilst the user is using the system every page checks the REQUIRES_AUTH header on every AJAX request and handles the logout redirection as follows:

/* Check user logged in on every ajax request */
$('body').ajaxComplete(function(event,request,settings){
    if (request.getResponseHeader('REQUIRES_AUTH') === '1'){
        location.href="../signin.html"
    };
}); 
/* End */

Every ASP page that is called using an AJAX post does a check on the session, if it's not there then it sets the REQUIRES_AUTH header as follows:

If (trim(Session("userid")) = "") Then
    'No session so clear variable
    Session.Contents.Remove("userid")
    'Redirect to Login page
    Response.AddHeader "REQUIRES_AUTH", "1"
Else
    Session("userid") = Session("userid")  
End If

I made the assumption that using Session("userid") = Session("userid") and the fact that I'm calling an ASP page which does something on the server would be enough to maintain the session but it appears not, all advice greatly appreciated. Do I have something fundamentally wrong?

2
jqueryajaxsessionasp-classic
instead of doing Session("userid") = Session("userid") in the else part, why not set the REQUIRES_AUTH to 0 ? - Flakes
Your outer pages and the ones in admin/ajax are part of the same Application, right? Otherwise you might be keeping the wrong session alive. Admin/ajax is just a virtual directory under the main application? - Don Zacharias
@SearchAndResQ - Because I only ever check if REQUIRES_AUTH = 1 and then ask users to log in if it does. I don't get how your suggestion would help with the problem of the session not being maintained? Please advise. - Higgs Boson
@DonZacharias - I'm not sure what you mean by Application. admin/ajax/ is simply the folder structure to the classic asp pages which are called from the ajax request. - Higgs Boson
fyi on ajax and "maintaining" sessions, run an ajax script to interval every so often ie every 15min if you are running a one page application. if you get/post it wont refresh your token, you need to do it manually. set up a script and an asp file that will continuously refresh your token. Do NOT treat ajax as an HTML page - Dnaso

2 Answers

1
votes

you can set an auto refresh in JavaScript every 15 min with a hidden count down or pass a unique token in your client site javascript

0
votes

Unfortunately there is no sliding expiration in classic asp sessions. I can figure out two suggestion:

  1. Use a cookie in place of the session to identify the user. Maybe the hash of the User Id will be suitable.
  2. Extend the Session.Timeout value for something larger than 20 min.