Home → Questions →

Session Check Pattern for a SPA

• Edit

Frank

24 Aug, 2016 04:26 PM

I'm using a custom login script, and I'm trying to figure out how to configure the session check pattern for a single-page application using AngularJS framework.

Since the body of the page never changes, and different parts of the page are enabled/disabled based upon user actions, how do I specify a user is logged out?

In the login script itself I'm checking that the login section of the page has been disabled to determine successful authentication.

Watir::Wait.until(timeout=20){ browser.section(:id => 'login', :class => "ng-scope ng-hide").exists? }

1. Support Staff 1 Posted by Tasos Laskos on 24 Aug, 2016 04:51 PM

   

   Authentication happens server-side though right?
   There must be an HTTP request you can make to determine a valid session.

   • Edit

2. 2 Posted by Frank on 24 Aug, 2016 06:49 PM

   

   I am not the developer of the application, but I have studied the traffic flow.

   The application will POST XML to an endpoint at a configured interval. The XML includes the Security Token received after successful authentication. The server returns a JSON response, which is processed client-side. Based on that response, the page is modified to re-enable the login section of the HTML if the session has expired.

   • Edit

3. Support Staff 3 Posted by Tasos Laskos on 25 Aug, 2016 02:20 PM

   

   You can post something similar to determine the session status based on the response, see: http://support.arachni-scanner.com/kb/general-use/logging-in-and-ma...

   • Edit

4. 4 Posted by Frank on 29 Aug, 2016 02:41 PM

   

   I'll take a look at this today to see if that will work.

   • Edit

5. Tasos Laskos closed this discussion on 22 Sep, 2016 09:14 AM.

6. Frank re-opened this discussion on 22 Sep, 2016 05:48 PM

7. 5 Posted by Frank on 22 Sep, 2016 05:48 PM

   

   Sorry for the delay in responding. This has not been resolved.

   For session check, we need to POST an XML message, and read a message in the JSON response to determine if the session is still valid.

   In addition, part of the XML message needs to contain the security token. The token for the message needs to be retrieved from an Angular service.

   How can we perform this?

   • Edit

8. Support Staff 6 Posted by Tasos Laskos on 23 Sep, 2016 11:46 AM

   

   Not sure how to get the security token, is it stored in JS?
   If so you can evaluate JS and extract it with something like:

   token = browser.execute_script( 'return getToken();' )
   

   Then, you can set more complex log-in options at the end of the login script, something like:

   session.check_options = {
       method:     :post,
       body: "<xml><token>#{token}</token></xml>"
   }
   

   • Edit

9. 7 Posted by Frank on 17 Oct, 2016 03:46 PM

   

   We can close this. We have found another solution. Thanks!

   • Edit

10. Tasos Laskos closed this discussion on 18 Oct, 2016 09:35 AM.