The Author Online Book Forums are Moving

The Author Online Book Forums will soon redirect to Manning's liveBook and liveVideo. All book forum content will migrate to liveBook's discussion forum and all video forum content will migrate to liveVideo. Log in to liveBook or liveVideo with your Manning credentials to join the discussion!

Thank you for your engagement in the AoF over the years! We look forward to offering you a more enhanced forum experience.

ssamayoa (9) [Avatar] Offline
#1
I come from JEE/JSF environment so I dont have to worry about session management since all request/response, even AJAX ones, are thru session which is managed at the server side and I, as developer, dont have to worry about anonymous access. I mean, if someone tries to request an URL directly without authenticating I can check if there is a valid session and if not browser is redirected to login page. Servlet technology does now for me via special cookie which flows between server and browser.

Of course I have some ideas but, is in the book best practices on session state management to secure data access in ExtJS applications?

Thanks.

Regards.
Bob C. (6) [Avatar] Offline
#2
Re: ExtJS Session Management
You're still going to provide session management and authentication/authorization on the server side.You can check out the Ext GWT framework for a nice example of a "Web 2.0" framework. You'll be able to secure your site and provide ajax authorization with the GWT of course.
ssamayoa (9) [Avatar] Offline
#3
Re: ExtJS Session Management
Thanks for your suggestion but I'm not going to GWT because Ext GWT is 2.x not 3.x.

This are the kind of things that may keep away developers from ExtJS because there is no "offcial" or "best practice" way, only examples and tutorials.

Regards.
jesus.garcia (463) [Avatar] Offline
#4
Re: ExtJS Session Management
That's because the people often choose a method that best fits their environment and capabilities.
ssamayoa (9) [Avatar] Offline
#5
Re: ExtJS Session Management
> That's because the people often choose a method that best fits their environment and capabilities.

Mmmm...
I fell a little offended...

So, I ask directly:
How do you maitain session between ExtJS front and server backend with AJAX?
Do you use some property to JSON request object?
Add a session id in as parameter in the URL?
How do you generate the session id?
Do you use the id given by your server technology (PHP, JSP, etc) or you write your own?

Thats the kind of "best practice" I would expected in the book. The book covers nicely the widgets and some front end architectural issues but none of server integration.

Regards.
jesus.garcia (463) [Avatar] Offline
#6
Re: ExtJS Session Management
Session management is done by session cookies. They should be http cookies so JavaScript cannot read or manipulate them. The book does not and cannot go into the very basics of web development. Ext js is a huge framework, thus I decided to focus on it. Likewise, it is server language independent, thus the discussions of server side code is kept to a minimum.

Many people expect lots of things. The simple fact is that is that I tried to cover as much as possible within the scope of the framework itself.
ssamayoa (9) [Avatar] Offline
#7
Re: ExtJS Session Management
> ny people expect lots of things. The simple fact is that is that I tried to cover as much as possible within the scope of the framework itself.

Ok, noted.

So, what about an addendum or another book which covers the subject of "best practices"?
Be sure that if you write I buy it.

Regards.
ssamayoa (9) [Avatar] Offline
#8
Re: ExtJS Session Management
ups!

I mean if you write it I buy it...
exceptione (13) [Avatar] Offline
#9
Re: ExtJS Session Management
@ssamayoa It just doesn't make sense for jay to write something about managing session state in your server application. Extjs is a front-side technology. Communication takes place over http. That's all.
If you server side has made a session cookie, each new request to the server will contain that cookie info since this is how browsers work.
Keeping an authenticated session is thus actually a no brainer.

In fact your question has nothing to do with extjs best practices. If you dont't feel at ease with web programming I would suggest you to search for more material on your preferred web server technology. I dont think this is a topic where Jay could help you much.
ssamayoa (9) [Avatar] Offline
#10
Re: ExtJS Session Management
@exceptione

> as nothing to do with extjs best practices

Obviusly you dont understad my point: best practices of ExtJS + server side. Thats not a best ExtJS best practice?

People buy tech books to learn more quickly than reading tutorials or experiment by they self. Of course I have the knowledge and capabilities to do my self but I dont want to poke arround with Google reading hundreds of half cooked examples to reinvent the weel.
accguy (18) [Avatar] Offline
#11
Re: ExtJS Session Management
ssamayoa,

I think the best practice for ExtJS would be to use session cookies, that have a time limit (i.e. that expire).

What language are you programming with on the server side? If it is perl, the easiest thing to do is use the CGI::Session module. It will track all of your sessions with all of the browsers (ExtJS applicatoins) that connect to the site. Remember, whenever a browser sends a request to a server, it always sends the session cookie that was given to it by that server, if any. That way, both the server and the ExtJS app (your browser) should be in sync with the same session cookie.

http://search.cpan.org/~markstos/CGI-Session-4.42/lib/CGI/Session.pm


If you are running PHP, then use PHPs server side session management:
http://us3.php.net/manual/en/book.session.php

If you are using some other language, search its documentation for Session Management stuff.

In the end, the other posters are correct. Asking what the best practice for session management with ExtJS is, is like asking what the best practice for Vehicle Operation is, it depends on the vehicle you are driving.

Sessions are instantiated by the web server, and then the session id information is sent to the browser. The browser simply echos that information back the server do the server can align that session id with a list of know/open sessions. If there is not one open, then you either code the web server to respond with a Not Auth message, or authenticate the client and send the session id info to the client.

Acc.