On Mon, 2012-08-06 at 10:45 -0400, Matt Wagner wrote: > On Mon, Aug 06, 2012 at 10:03:22AM -0400, Scott Seago wrote: > > On 08/06/2012 04:32 AM, Tomas Hrcka wrote: > > >Yes I know that is exactly what I had in mind, but appending stuff to > > >backbone requests is not that easy. And when the before filter catch > > >JSON request for API it actually does not matter because API session > > >have 2.minutes expiration. > > > > > >Tomas > > So the one edge case here would be any ajax request that uses json > > wouldn't register as activity. I'm not sure if we're using json for > > ajax requests now, but perhaps we could take the request param bit in > > reverse. For any ui-related json call, append some variable > > (non_backbone, ui_activity, or whatever) so that any request that > > sets this param, don't invalidate the session. > > I thought we were using JSON all over the place, but I'm struggling to > find anything outside of the API or Backbone to prove it. So maybe this > is safe. > > I'm slightly uneasy with being able to append a variable to a URL > indicating that it should keep your session active. It feels like a > security risk, whereas going the other direction -- "let my session > expire in spite of this" -- does not. However, I'm not sure how valid of > a concern this really is, since any "normal" request would already > refresh your session.
this is also what I was thinking. > > I wonder if it would be lunacy to set a custom HTTP header, which looks > to be possible through Backbone. Something along the lines of > X-Is-Backbone or whatnot. This might be easier than trying to globally > alter URLs, and it's a valid use of headers. Does this sound like lunacy > to you guys? In a way isn't ^ the same as modifying URL? I mean the code creating/modifying the header will be on client side...
