A good design solution when a form is submitted, what should be the behavior of "back" and then "forward" browser button.
Similar question is what should happen when a user logout an application the then click "forward" browser button?
I will be glad to hear some scenarios for the mentioned situations.
Thanks.
Edit - should be good to share and my point of view :-)
My personal opinion is after logout the user should be not able to enter the application without go through the login page.
For the submit scenario - after submitted and back browser button , the user should be able to return to the form but with NO containing data.
One common pattern is Post/Redirect/Get. Under that pattern, the result of the post is a bookmarkable (and back/forward navigable) page. The Back button has one of it usual meanings of "I didn't mean to go here, take me back where I was" like hitting ESC in most Windows dialogs, and the Forward button means "I didn't mean to hit the back button, I wanted that page after all." This pattern isn't going to work for everyone; it makes the most sense when each page (including the response to a form submit) represents some conceptual entity that you'd want to bookmark.
As for the logout scenario, most apps check whether you're logged in no matter what page is specified in the URL, and redirect to the login form if you're not logged in. (You don't have to code that on every page; the check is usually a Valve or something.) A nice feature is to remember where the user was trying to go and take them there upon sucessful login.
Your question is more about design than technology, so GWT doesn't really change the picture, except to note that the GWT history mechanism is intended to mimic the behavior of static pages connected by links, which the post/redirect/get pattern does also.
It is very common to use state machines to keep the user(session) and request state. If you have such a state machine then you know that user is trying a wrong transition. Depending on the user state and the wrong transition you can forward the user to a page. For example if the user tries to go to a page which needs to be logged in but she/he has already logged out, you can send her/him to a login page but you can provide user name and only ask for the password.
To add this functionality you can write your own code by hard-coding the state machine in your code or you can use one of the available libraries. For example,
Spring Web Flow provides this functionality for Spring framework.
Related
I am a DBA, not a web developer. I am trying to build a complex website with Joomla. The user page needs to be interactive without refresh. I am not sure I am using the right words, but here goes.
Assume a user is logged in and a session is started - and we have that data along with the users IP address.
The database is crunching things from other users too, just like this one. As the database works, it generates information to be displayed on EACH users screen in real-time, without the user clicking, without screen refresh, and without the web-page code polling the server at intervals. In fact the user may click a different action from their screen simultaneously, so the user screen cannot be sitting waiting for a reply or polling at predefined intervals. It is basically receiving and transmitting "virutally" at the same time. If this is possible to do, a single piece of code would work and results could be deciphered for the right screen entry point (several boxes).
What can be used to do this? Thanks, Bruce
off cource its possible. make ajax call to link like
"index.php?controller=myController"
and in myController set header of either xml or json and prepare response of AJAX there. and at end of code write $app->close(); to avoide rendering of other modules and content
I need to leave cache enabled and disable the user from seeing the information once they go back after logging out.
I'm aware that cached pages showing upon logout + back button is by design within browsers. I'm aware that disabling cache is a way to force logout + back to force a revalidation.
With JSP (CQ5 specifically), is this even possible?
I have the following solutions in mind, but am not sure which is the best approach for my needs:
Disable cache everywhere. This works, but is unacceptable because the publisher we are using will be too busy re-upping pages.
"Logout" button POSTs to Page A. Page A kills the session and forwards the user to Page B with some "You have been logged out" message. "Back" from Page B will pop the message browsers provide about having to re-post values. Yes = they log back out (harmless at this point) and get forwarded to Page B again. No = they sit at Page A harmlessly. But, "back" + "no" + "back" may land them on the cached page, or a selection from history would still show a cached page.
"Logout" button pops a new window, asking if they're sure/warning them to close their session. "I'm sure" does a window.opener.reload() or window.opener.close(). But, if JavaScript is disabled, we're doomed.
"Logout" posts to the current page. All pages check the existence of some POSTd value. If present, forward to Page B with a "you have been logged out message". Similar to #2. This will essentially re-cache the page into a "You have been logged out" page, but "Back back" or history will still have cached pages.
Is there some way to manually clear a user's cache, or force the validation check to happen even on cached pages? I'm out of ideas here...
Your problem here is that you are trying to cache something that should be kept secret. Caching information behind a password is not secure and is a risk.
However, it may make sense to cache the generic html parts of a page behind a password. Anything that any logged in user can see is OK in this regard. It is only the specific information such as username, address, phone number etc that is sensitive.
If you make a separate JSON call to pull down the data, the infomration will be lightweight, but still secure, as it is not cached on the system, but also not padded with html formatting etc.
The page can also have the intelligence to display a log in challenge if the users session has been interrupted for whatever reason, they retype and continue from where they left off, whilst still keeping the back button in place.
I would also think if there is any sensitive information is kept in the history, such as id's, actions etc, that can be a problem as well.
Just a few things to consider.
I am developing a spring MVC application. I ran into some interesting case.
To make it easier to explain i am taking the stackover flow buttons on the top as example( i mean those questions, tags, users, badges, unanswered buttons).
Now in my app i have similar buttons. when user clicks on any button it makes ajax call by passing proper arguments. Server makes sql queries and returns the results back.
Now assume that there is a crazy user like me who keeps on clicking those buttons without break. So each click is making a ajax call. And which ever completes its operation is showing up on front end. So even if the user clicks Tags button in the last it may show up and again the previous click on questions which took long time to return to front end can overwrite the page. How can i fix that? ( i want the tags data to be shown as it is the users last click)
In the first place i know that when user first clicks on question and then on tag i no longer need to query sql for questions button. Is there some way for me to stop processing the sql query for questions button.
Thanks
The best way to handle this is through the user interface - if the user takes some action (clicking an image) that will require significant processing on the backend, your UI should prevent other actions on the page from sending further messages to the backend until the original request is complete.
Ways to tackle this visually would be to disable/gray out other elements, make it obvious that some work is going on (with spinners, progress bars), etc.
On the server side, since each HTTP request is independent it would be cumbersome and difficult to add logic on the server to be able to detect if the user making this current request has another ongoing request currently being processed.
You probably need to take help of cookies. When the first time the action is done, write some cookie. Every time, check that cookie before you process.
You cannot simply disable a link or button from the UI and hope the user cannot do it. It can always be done in multiple ways. Additional checking is must.
(I haven't read your post completely. But from what I understand from the 1st answer...)
I had a similar problem, and I tackled it this way.
I did hand-coded ajax calls (as opposed to jQuery etc.)
I had a single global XMLHTTPRequest.
var xhr = new XMLHTTPRequest();
When the user clicked something, which needed an ajax call, I aborted the previous call, if already running.
if( xhr.readystate !=0 || xhr.readystate !=4 )
xhr.abort();
Then create a new instance of XHR, and do your business.
xhr = new XMLHTTPRequest();
xhr.open("GET", myUrl, true);
//attach callback function etc and do the send
Can anyone please explain how can we make a page expire when click on back button?
If we put response header as noCache does this work?
I have seen many online banking sites where session gets expired when trying to refresh a page or when trying to perform another action before getting the response for previous action or use back button. How this can be achieved in easiest way?
Thanks
If each action on the page is POST with hidden random-generated field, you can catch the situation where same POST is done twice (with GET you can try the same trick). You can then match the situation, where
User refreshes page
User click 'back' button
User works in 2 browser tabs/windows
Generally speaking, you can match any out-of-order user interaction, and session expiration can be one of the possible actions. From my observations, some bank system use such system, to prevent out-of-order user interactions.
Here is the thing : my webapp has loads of popups and my boss wants 'em closed on session expiry, coz when session expires and an user presses refresh on a popup, he is being shown the logon page -> user logs on -> user is directed to the dashboard. Now, a dashboard screen in a popup is totally uncool. Here is where google got me:
Have javascript to close popup onload. Generate this onload script into the response if session has expired (checking session expiry from jsp and including onload script conditionally).
Do you think this is a good way to it? What is the best practice for this scenario?
P.S: I am not allowed to use AJAX
In a past life, I made a popup manager object that maintained what windows were open. You should probably make one of these if not already done. Then, you can use setTimeout to call a function after so many minutes (or whatever time you want) have gone by. This will check for recent activity (probably via AJAX) and close the popup if you determine that the session has expired. If not, call setTimeout again with your new time, properly adjusted for most recent activity.
^^before the AJAX edit.
Well, since you can't use AJAX, can you put something in the url that will tell you it's a popup? Then you'll know not to show the login screen when the user hits reload.
The best way would be an XMLHTTP request to check login and close them if required - do this periodically.
Astute readers (meaning everyone) will notice that this is an AJAX request, but if you phrase it that way it might get accepted as whoever dictated that you 'aren't allowed to use AJAX' is clearly an idiot.
An alternative way to implement modal dialogs in a web application is to:
Model the dialog in a DIV, default styled to display: none;
On desired action, inject/append the Modal dialog DIV into the page source
Reset the CSS display so the modal dialog DIV is visible, overlaid on top of the page by setting the CSS z-index property
Make the modal dialog disappear upon either successful execution or the user cancelling out
Because the modal dialog is part of the page source, the dialog will disappear when the session times out. This approach doesn't spawn supporting windows that can be orphaned as the poster is attempting to address. And it fits the requirement of not using AJAX.
You can code these by hand, but I don't really recommend it because of having to support various browser. I suggest looking at the Yahoo User Interface. You can tailor it to suit your needs (IE: only modal dialogs), and it would support AJAX if requirements change down the road.
Beware of spawning modal dialogs from modal dialogs.
If your boss is asking you to achieve this, without using AJAX, then you're in trouble. He should understand that the only connection a browser has to the server (without refreshing the page) is javascript (what he understands to be ajax).
The best way to do this is to setup a script on the pages to ask the server if the user is still logged in every 30 seconds or so.
setInterval(function(){
$.get("loggedin.php", function(result) {
if (!result.isLoggedIn)
window.close();
});
}, 30000);
This script assumes you're using the jQuery framework for rapid development of javascript solutions. This also uses JSON (Javascript Object-notation) to test a return-value from the loggedin.php file.
Bottom line, you need to use AJAX. Tell your boss there is no other way. If he still doesn't get it, ask him to balance his checkbook without using math.
In theory, you could avoid AJAX by using a hidden flash widget...
But more practically, AJAX is the 'right' solution, and I think you will have to talk to your boss, determine where this 'no AJAX' rule came from, and convince him that AJAX is the best way to solve this problem.
Does he think AJAX would be take too much time to implement? If so, you should prove him wrong. Does he think it will be hard to maintain? If so, show how simple the code to do this will be, and how widely used the common AJAX libraries are. If your boss is reasonable, then his goal is to what is best for the product, and you should be able to reason with him.