Wednesday, December 4, 2013

Detecting login pages in Ajax requests

Way back when, in Orbeon Forms 3.9, we introduced an improved retry mechanism that kicks in when an Ajax request to the server fails. A request might fail either because the browser didn't get a response before a certain timeout, or because it got an unexpected response. In the first case, it is always worth retrying: if we were not able to contact the server now, there is a chance we might be able to do so in the future. However, an unexpected response might be the sign of a fatal error, and in that case we're only wasting the user's time in attempting to send again the request to the server.

When getting an unexpected response, since version 3.9, Orbeon Forms' client-side code is looking at the content of the response to see if it recognized it as an error produced by Orbeon Forms' server-side code. In that case, it doesn't retry, estimating that the error was likely to happen again. Otherwise, it tries again to send the request to the server. But is always retrying when we can an unexpected response which isn't Orbeon error the wisest choice? Let's see what those pages could be:

  1. A user starts filling out a form at home, then walks downstairs to a coffee shop, orders her latte, and connects to the Wi-Fi to finish filling out the form, at which point she gets a page with a checkbox asking her to accept usage guideline for the Wi-Fi, which she does. If Orbeon Forms issues an Ajax request before she accepts the conditions, it will get that same page. Obviously, in this situation we'd like Orbeon Forms to retry the request.
  2. A user starts filling out a form, closes his laptop, drives home, and opens his laptop to continue his work. Unfortunately, in the meantime his session expired, and Ajax requests are served a login page. Obviously, in this situation retrying won't help, and we would be better off notifying the user that he needs to login again.
How can Orbeon Forms distinguish between the first and the second case? In both cases, pages look like login pages, and are foreign to Orbeon Forms, which means it can't reliably make the difference, at least not without some help.

This is why, in Orbeon Forms 4.5 we're introducing a way for admins to tell Orbeon Forms which pages fall in the second category, and are company login pages. Admins do this by setting the oxf.xforms.login-page-detection-regexp property to a regexp that Orbeon Forms runs agains the page returned. If the page is a match, it considers it is a login page, notifies the user (as shown below), and reloads the form, which in turn will likely take the user to the login page.


For more on this property, see the documentation on the login page detection.