In my previous post I mentioned that there is no built-in mechanism for associating calls from a pure DHTML UI with user and session-specific state at the server. In this post I want to detail how to integrate with a .NET or Java session. Of course, the same principles can be applied to other web technologies like PHP etc.
If your session ids are sent as cookies, the integration is easy because the browser will automatically send those cookies back with every request to the same domain, even those for static content and the server calls the UI executes in the background. So attaching to the ASP.NET or Java Session can be as simple as calling a server page that uses a session. Important: Ajax calls via the XMLHttpRequest API will NOT set or remove cookies, so such a page would have to be loaded into the main window or at least an iframe. Also, it is good practice to mark session cookies as http-only which means they cannot be accessed directly from JavaScript.
If you don’t use cookies but encode session and authentication information in the URL, the problem becomes trickier – you will have to extract that information from the server page and add it manually to all request URL that require that context.
One thing to keep in mind is that the session will eventually time out (the details depend on your configuration). If your application does not regularly call server components that will use or at least automatically “touch” the session but needs to keep it alive in the background, you may have to add functionality that will periodically call the server to do just this.
Also, typically, web services do not have access to user sessions and will therefore not “touch” them nor be able to access the session data – they need to be made session-aware. In a .NET asmx web service, you can enable session access for a method by decorating it with [WebMethod(EnableSession=true)]:
using System.Web; .... // decorate the method to indicate it should enable session handling [WebMethod(EnableSession=true)] public string AccessSession() { // access the user session via System.Web.HttpContext.Current.Session if (HttpContext.Current.Session != null) { return HttpContext.Current.Session["SomeKey"] as string; } return "Session not found"; } A Java example can be found here: http://www.ibm.com/developerworks/webservices/library/ws-tip-stateful.html.
If you are using session-enabled web services, the web service client is responsible for attaching the correct session id to the request – only if you use a JavaScript client and use cookies, this will probably happen automatically.
Overall, this is a fairly simple approach to enable user-specific session state at the server with a pure DHTML UI and works well if your UI communicates with a single server application.
In my next post, I will offer an alternative approach that doesn’t require the use of traditional server-side sessions.
-Anke
Written by: Anke Doerfel-Parker |
Connect with us: