Forum OpenACS Development: Re: Request Processor's rp_filter and AJAX

Posted by Benjamin Brink on

The culprit is sec_get_user_auth_token used in (ad_user_login and) sec_login_handler which is used in sec_handler. Security can be such a nuisance!

Is it possible to have client track the value of: sec_get_user_auth_token user_id ?

If auth_token changes, a new login is expected. Maybe the client could interrupt the session for re-login. Or if client already has info, handle re-login via util::http::cookie_auth.

I've managed to avoid js managed sessions, but have some sense of this via ecommerce which has its own sessions, so this strategy may not work for you.