How can I encode a jquery ajax () call (e.g. xmlhttprequest) to save the session ID (e.g. send cookie 'jsessionID' to browser cookies already)
Our context:
- Two Java based web applications
- The SSO mechanism registers the user in both applications (that is, it has a session 101 with application A and a session 202 with application B)
- Application "A" uses javascript (jquery) to invoke rest in application B
- Appendix B implemented a leisure API in Java jersey (fwiw)
- All GETs and “POSTS from the old school” from app A to B connect to the same session # 202 in “session B”
- XmlHttpRequests (for example, jQuery ajax () calls) do not use session # 202. Each XmlHttpRequest receives a new session
Why new sessions?
Reason: XmlHttpRequest does not send cookies to application B. The servlet container sets jsessionid to the cookie. Server does not receive jsessionid
In contrast, JSONP calls (which dynamically generate <script src = "http: //server/b/page.x">) send cookies.
Questions
- What is the easiest way to get ajax xmlhttprequest calls to pass the session id (cookies) to the target application?
- Any good links to ajax, cookie, xmlhttprequest and REST?
- Can anyone recommend reading the REST API design and authentication?
Web Sessions, Status, and Authentication
I know that REST should be stateless, and reusing web sessions seems somewhat fragile (i.e. unlike using OAuth tokens and authentication, as well as netflix)
This is the first iteration, and we were close to getting everything running. This worked fine with JSONP, but the XmlHttpRequest messages failed.
early
Update:
Actually a naive question.
It turns out that cross-site wiring via xmlhttprequest / ajax has inherent security issues and workarounds. For example, Firefox will not send cookies using XmlHttpRequest unless you add custom headers. Then, Firefox will perform a “pre-flight check” (i.e. calling http OPTIONS) on the server to see “is this normal?”. Your server must answer the “OPTIONS” call saying “yes, this is normal” before firefox executes your “cookie message”.
IE and Firefox solve this problem in different ways (for example, like javascript around 1998). I don’t know what IE is doing, but, having lived until 1998, we don’t really want to follow this road, if at all possible.
We encoded a workaround.
None of our team knew about this when we started coding. (i.e., "jsonp worked fine in the prototype, everything else too")
References: How Mozilla solves this problem (HTTP headers and preliminary checks) https://developer.mozilla.org/En/HTTP_access_control
Cross resource resource: http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing