On Mon, Aug 06, 2012 at 10:03:22AM -0400, Scott Seago wrote: > On 08/06/2012 04:32 AM, Tomas Hrcka wrote: > >Yes I know that is exactly what I had in mind, but appending stuff to > >backbone requests is not that easy. And when the before filter catch > >JSON request for API it actually does not matter because API session > >have 2.minutes expiration. > > > >Tomas > So the one edge case here would be any ajax request that uses json > wouldn't register as activity. I'm not sure if we're using json for > ajax requests now, but perhaps we could take the request param bit in > reverse. For any ui-related json call, append some variable > (non_backbone, ui_activity, or whatever) so that any request that > sets this param, don't invalidate the session.
I thought we were using JSON all over the place, but I'm struggling to find anything outside of the API or Backbone to prove it. So maybe this is safe. I'm slightly uneasy with being able to append a variable to a URL indicating that it should keep your session active. It feels like a security risk, whereas going the other direction -- "let my session expire in spite of this" -- does not. However, I'm not sure how valid of a concern this really is, since any "normal" request would already refresh your session. I wonder if it would be lunacy to set a custom HTTP header, which looks to be possible through Backbone. Something along the lines of X-Is-Backbone or whatnot. This might be easier than trying to globally alter URLs, and it's a valid use of headers. Does this sound like lunacy to you guys?
