Im currently working on a single-page application and Im using React and Relay to achieve this.
I have several components which are very different or even absent if user is not logged in (e.g logged in user dropdown menu, profile page, access to member content etc).
Important thing to note is that Im using WordPress as CMS
. Logging in is currently done via normal HTTP
and with normal page refresh. WordPress sets few sessions to logged in users.
The problem.. I have a very easy WordPress way (one-liner) to check in PHP
if user is logged in.
-
I have no idea why but
AJAX
(even with like 20 bytes of data) has very often huge loading times (few seconds). I would need to check if user is logged in very often and this is unacceptable. My connection and server is fine, “normal” pages takes almost the same time to load. That means that sendingAJAX
request, checking if user is logged in in server viaPHP
is not an option. -
I cannot capture the session keys or values because these are both randomly generated, not stored in database in any way and it would probably be a huge safety concern. That means that I cannot check, if my “secret” variable value in
JS
equals session key or value.
Can I and (if yes) how could I match these 2 technologies? I can’t see a way to drop the WordPress logging in system because the whole CMS
depends on that and it would be very painful to change that.. Or should I use separate JS logging in mechanism in front-end? Users don’t have access to WordPress back-end, only admins do.
Even if you don’t have a good solid answer, all suggestions are very welcomed in comments!
There is really no need to check if the user is logged in on every part of a single page application. Let me explain how I do it:
Login/logout happens via a simple call to the relative endpoint. I use a separate endpoint to return users data, which results in a
404
if a user is not logged in. That’s just my way of doing things, you could just as well return that data from the login endpoint, if the login was successful.Now, even though it’s a single page application, and we use ajax for communication between the app and the server, server sessions still continue to exist. This means that the logic for checking whether a user is logged in remains the same for both non-ajax and ajax calls. Based on that you can secure your backend to only return the data that’s accessible by a user.
Going back to the single page application. You log in once, and you store the necessary information like user level etc. in your application. Now it’s true, that this data can be easily compromised. But you shouldn’t worry about that too much, since it only affects the current user, and the backend won’t actually permit him to do anything he’s not allowed to do anyway.
So for example, a person changes his user level from ‘normal’ to ‘admin’. Now he can view some parts of the application he wouldn’t be able to view normally. But, he will see no content, as the backend will refuse to send him that data anyway. He might see some options that weren’t available to him before, but again, even though he might send these requests, the backend will not process them.
Let me know in case I misunderstood what you’re trying to do, or you still need some clarification.