stackoom
  简体   繁体   中英

Checking login status at client side

 原文  2013-05-02 07:08:01       javascript/ client-side/ login-control

Question

I want to learn what is the best practice to check login status at client side. What I am trying to do is checking user's login status and if he is not logged in open popup box (login box) using JavaScript.

I can think of 2 options

  1. Make an AJAX call to server and get the login status.
  2. Have a variable in your HTML page and check this variable with JavaScript at client side. Of course I do not trust this check, I still have all the necessary checks in my controllers at server side.

Option 1 is good but it can add some latency/delay so it may not be the best option in terms of user experience. Or am I wrong, with a good server (I am planning to use amazon web services) this delay will be so minimum and user will not understand it (Question may look silly but this is my first web development so please be understandable :))

I can't see any problem with option 2, please correct me if I am wrong. As I said I am trying to understand the best practice.

2 answers

solution1
 1  2013-05-02 07:34:51

The best way to avoid server hit/network latency as well; You can put a client variable which has the login status (as you said in your question), but main thing to avoid server hit and network latency (AJAX), You just use the same logic which is at server side to set the login status as false. Suppose say the logic is to sety login status to false after 5 minutes of inactivity, You can do the same at client side as well.

So overall I mean to say is, Implement the same logic at client end to set the login status false. and based on that you can show your login dialog immediately with any latency. And in BEST PRACTICE you should always do double verification ie at server end on each and every requests for authenticated stuffs you should check that the client login status matches the server login status, since the client's login status can be tampered one.

Good Luck...
Happy exploring :-)

solution2
 0  2013-05-02 07:31:38

Option 1 seems the best, how can you otherwise know if the cookie you save the user id in was not tempered with? As far as I know the best practice is to add a hash to the cookie (you can see google doing that in their cookies), and then use that to check if the data in the cookie is valid on the server side, using a secret and or salt.

http://en.wikipedia.org/wiki/Hash_function

http://en.wikipedia.org/wiki/Salt_(cryptography)

what you could do anyway though is check if a cookie exists with userid in your client side javascript, and if not, then send the user to the login page.

https://developer.mozilla.org/en-US/docs/DOM/document.cookie

that way you don't need a server round trip for obviously logged out users.

However, can't you on the first request the user makes to your serveralready do the checking? and if the user is not logged-in respond with the login page?

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Check Facebook login status: Client side vs Server side checking files on client side Client side error checking not working Meteor - Checking login status before rending templates Login handling in Vue - Is checking the status code sufficient? Checking Facebook login status on page load checking image existance from client side Checking if a URL exists or not in Client Side Code Checking Image Dimensions Client-Side Can a client-side login be safe?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM