The application I'm working on at the moment has a session timeout value. If the user hasn't interacted for longer than this value, the next page they try to load, they will be prompted to log in.
All requests made are routed through this mechanism, which includes AJAX calls. Originally we were sending a 200 header with the login page, which introduces some problems with AJAX since code is run if a 200 response is sent, and most data sent back from these RPC calls is JSON or raw JavaScript that gets evaluated (don't ask :|).
I've suggested that a 401 is better, since our JSON parser won't try to consume an HTML login page.. :)
When reading the spec, however, I noticed that the WWW-Authenticate field must also be sent.
What is a good value for this field? Will Application Login suffice?
This question is related to
http-headers
xmlhttprequest
No, you'll have to specify the authentication method to use (typically "Basic") and the authentication realm. See http://en.wikipedia.org/wiki/Basic_access_authentication for an example request and response.
You might also want to read RFC 2617 - HTTP Authentication: Basic and Digest Access Authentication.
When the user session times out, I send back an HTTP 204 status code. Note that the HTTP 204 status contains no content. On the client-side I do this:
xhr.send(null);
if (xhr.status == 204)
Reload();
else
dropdown.innerHTML = xhr.responseText;
Here is the Reload() function:
function Reload() {
var oForm = document.createElement("form");
document.body.appendChild(oForm);
oForm.submit();
}
Source: Stackoverflow.com