[PATCH V5 0/5] Switch to a traditional login flow
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> V4 -> V5: fix the login bug after an error user/password input V3 -> V4: improve the login page. V2 -> V3: improve when to show timeout message V1 -> V2: when username or password is wrong, back to login page with an error message. when session time out, back to login page with an error message. ShaoHe Feng (5): create a new login page redirect the URL to login page when session timeout or first login when login successfully, redirect to the last page. login page prompts error when username or password is wrong login page prompts error when session timeout src/kimchi/auth.py | 53 +++++++++++++++++---- src/kimchi/config.py.in | 7 +++ src/kimchi/root.py | 38 +++++++++++---- src/kimchi/server.py | 2 + tests/test_rest.py | 1 - ui/images/progressing.gif | Bin 0 -> 1152 bytes ui/js/src/kimchi.main.js | 14 ++++-- ui/pages/login.html.tmpl | 118 ++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 209 insertions(+), 24 deletions(-) create mode 100644 ui/images/progressing.gif create mode 100644 ui/pages/login.html.tmpl -- 1.9.3
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> this page is used for the session timeout or first login. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Yu Xin Huo <huoyuxin@linux.vnet.ibm.com> --- ui/images/progressing.gif | Bin 0 -> 1152 bytes ui/pages/login.html.tmpl | 110 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 ui/images/progressing.gif create mode 100644 ui/pages/login.html.tmpl diff --git a/ui/images/progressing.gif b/ui/images/progressing.gif new file mode 100644 index 0000000000000000000000000000000000000000..6552d41d9d4c874091bb51931c6adf64a95e8bd0 GIT binary patch literal 1152 zcmZ?wbhEHb6k!ly*v!E2|NsBHckiA#b7s?~O&uK_IXO9@p`oUxrgCy}4A_9;e{Mh5 zkYH!W09PYD17=2`8pWS1oFWVy3_2k7AY&O=+5}E^`WY^hIhD@I;2`qkhUamCHs#2? zD{Sl5ddqAu;o;E8n07H&VTOd$9w+z3Od8dz)1OOlg@hfQ?6P6gg)Nhut~h8s_iHy| zTx?f<DfNuF4qs+in1T70o7P)P87f1<g5(0~t-`bz%`;<c7;R*Hby&0+Cd*D$nyx)7 zxH>hoEs9-2GEYbl<TO?^r*$AZO&~F#<dR{_!xK!0-EtLPZ*p|yWoF`%>SmZA?aQ<9 zUT3kA$h=8X2{%vLaEeZ2FfFvxHCy+@)2xTXXx&nW19L8~I4mhFCLSR*N5YUN_g8RC zxvG$d3rC2Yoni>Hr8Z+mk+UtMt&Fyriq3S|nYyz*lh|s_)v7fmBnyPWjzbSOeSwpn ztM^*GK3gr@WX{W=;H4@s$Eix`o#&Z+UC|vq;?Mm$*qz>q{MpOLKD$V>lW^GM@gRp< zTfqAxmTMW#NQtz1Ow(GUENaLTnG@~OSSl%)a-~@^*=_L^Wu6LazRZG$dI^iu%U-z% zg<00g*_8=1ySk){v9Pk(*~<9qvQD2qQDdsojG1{NY_a__TQemj7eK-u-Fqm>f>utm zWMS=L&jJU059@Suul#8<RCK0juuU^pO9X~|9`=wYHdzoCYCehQmh?GGSt;IO&EY61 z^|cU^WKC}pQa3GC)^bS)J5HFrADAqr$@=Tg_KIeUMR6Q@nr+9QW_y9zNsLj!T)@YO zmFW>EN`0IXPrZ>S5M3ptD%hrTMQhc8T>+_g4tF#}E)IMpc<k8J3C>bEce!tTI4V-^ zEEL|{;B8wW%<SUK!k*>CY&#hksVX{CWv466RGb|aXRcN%49rjY*aHrnWY;d4a(eT< sn9_<U58lHODbH9KGQC;#6@s@G?AG7t-SQycLr1Fr#FC=U9tH+$0KoWQ9smFU literal 0 HcmV?d00001 diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl new file mode 100644 index 0000000..555430b --- /dev/null +++ b/ui/pages/login.html.tmpl @@ -0,0 +1,110 @@ +#* + * Project Kimchi + * + * Copyright IBM, Corp. 2014 + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + *# +#unicode UTF-8 +#import gettext +#from kimchi.cachebust import href +#silent t = gettext.translation($lang.domain, $lang.localedir, languages=$lang.lang) +#silent _ = t.gettext +#silent _t = t.gettext +#from kimchi.config import get_version +<!DOCTYPE html> +<html lang="$lang.lang[0]"> +<head> +<meta charset="UTF-8"> +<title>Kimchi</title> +<meta http-equiv="X-UA-Compatible" content="IE=edge"/> +<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" /> +<link rel="shortcut icon" href="images/logo.ico"> +<link rel="stylesheet" href="$href('css/theme-default.min.css')"> +<script src="$href('libs/jquery-1.10.0.min.js')"></script> +<script src="$href('libs/jquery-ui.min.js')"></script> +<script src="$href('libs/jquery-ui-i18n.min.js')"></script> +<script src="$href('js/kimchi.min.js')"></script> +<style type="text/css"> +.topbar select { + float: right; + margin-top: 12px; + margin-right: 10px; +} +.login-area { + margin: 120px auto 0; +} +#login-window { + width: 315px; +} +.err-area { + height: 80px; +} +.err-mess { + color: #C85305; +} +</style> +<script> +function changeLang() { + var lang = document.getElementById('userLang').value; + kimchi.cookie.set('kimchiLang', lang, 365); + window.location.reload(); +} +function setLang() { + var defaultLang = 'en_US'; + var clientLang = document.getElementsByTagName("html")[0].getAttribute("lang"); + var persistLang = kimchi.cookie.get('kimchiLang'); + document.getElementById("userLang").value = persistLang || clientLang || defaultLang; +} +function updateBtnLabel() { + document.getElementById("login").style.display = "none"; + document.getElementById("logging").style.display = ""; +} +function init() { + setLang(); +} +</script> +</head> +<body onload="init()"> +<div class="container topbar"> + <span id="logo"><img alt="Project Kimchi" src="images/theme-default/logo-white.png"></span> + <select id="userLang" onchange="changeLang()"> + <option value="en_US">English (US)</option> + <option value="zh_CN">中文(简体)</option> + <option value="pt_BR">Português (Brasil)</option> + </select> +</div> +<div id="login-window" class="login-area"> + <div class="err-area"> + <div id="messUserPass" class="err-mess" style="display: none;">$_("The username or password you entered is incorrect. Please try again.")</div> + <div id="messSession" class="err-mess" style="display: none;">$_("Session timeout, please re-login.")</div> + </div> + <form id="form-login" action="/login" method="POST" class="login-panel" onsubmit="updateBtnLabel();"> + <div class="row"> + <input type="text" id="username" name="username" required="required" placeholder="$_("User Name")" autofocus/> + <div id="username-msg" class="msg-required"></div> + </div> + <div class="row"> + <input type="password" id="password" name="password" required="required" placeholder="$_("Password")" /> + <div id="password-msg" class="msg-required"></div> + </div> + <div class="row"> + <button id="btn-login" class="btn-normal"> + <label id="login">$_("Log in")</label> + <label id="logging" style="display: none;">$_("Logging in...")</label> + </button> + </div> + </form> +</div> +</body> +</html> -- 1.9.3
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> If the content type is application/json still raise 401 status code. And let UI redirect to login page. or the backe redirects to login page directly. enable kimchi-ui.html authentication protected. and update the test case Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Yu Xin Huo <huoyuxin@linux.vnet.ibm.com> --- src/kimchi/auth.py | 11 +++++++++++ src/kimchi/config.py.in | 3 +++ src/kimchi/root.py | 28 +++++++++++++++++++--------- tests/test_rest.py | 1 - ui/js/src/kimchi.main.js | 5 +---- 5 files changed, 34 insertions(+), 14 deletions(-) diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index dc78ded..a38dbd3 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -28,6 +28,7 @@ import re import termios import time +import urllib2 from kimchi import template @@ -41,6 +42,12 @@ REFRESH = 'robot-refresh' +def redirect_login(): + next_url = urllib2.quote( + cherrypy.request.path_info.encode('utf-8'), safe="") + raise cherrypy.HTTPRedirect("/login.html?next=%s" % next_url, 303) + + def debug(msg): pass # cherrypy.log.error(msg) @@ -234,6 +241,10 @@ def kimchiauth(admin_methods=None): raise cherrypy.HTTPError(403) return + # not a REST full request, redirect login page directly + if not template.can_accept('application/json'): + redirect_login() + if not from_browser(): cherrypy.response.headers['WWW-Authenticate'] = 'Basic realm=kimchi' diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index 0206570..d4cbda0 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -187,6 +187,9 @@ class KimchiConfig(dict): '/spice.html': { 'tools.kimchiauth.on': True }, + '/kimchi-ui.html': { + 'tools.kimchiauth.on': True + }, '/data/screenshots': { 'tools.staticdir.on': True, 'tools.staticdir.dir': get_screenshot_path(), diff --git a/src/kimchi/root.py b/src/kimchi/root.py index 8b1d09b..5ec1cf5 100644 --- a/src/kimchi/root.py +++ b/src/kimchi/root.py @@ -81,7 +81,7 @@ def get(self): @cherrypy.expose def default(self, page, **kwargs): if page.endswith('.html'): - return template.render(page, None) + return template.render(page, kwargs) raise cherrypy.HTTPError(404) @cherrypy.expose @@ -110,14 +110,24 @@ def __init__(self, model, dev_env): self.messages = messages @cherrypy.expose - def login(self, *args): - params = parse_request() - try: - username = params['username'] - password = params['password'] - except KeyError, item: - e = MissingParameter('KCHAUTH0003E', {'item': str(item)}) - raise cherrypy.HTTPError(400, e.message) + def login(self, *args, **kwargs): + username = kwargs.get('username') + password = kwargs.get('password') + # forms base authentication + if username is not None: + # UI can parser the redirect url by "next" query parameter + next_url = kwargs.get('next', "/") + next_url = next_url[0] if(type(next_url) is list) else next_url + auth.login(username, password) + raise cherrypy.HTTPRedirect(next_url, 303) + else: + try: + params = parse_request() + username = params['username'] + password = params['password'] + except KeyError, item: + e = MissingParameter('KCHAUTH0003E', {'item': str(item)}) + raise cherrypy.HTTPError(400, e.message) try: user_info = auth.login(username, password) diff --git a/tests/test_rest.py b/tests/test_rest.py index 7ed94cb..18ba66e 100644 --- a/tests/test_rest.py +++ b/tests/test_rest.py @@ -1431,7 +1431,6 @@ def test_auth_unprotected(self): '/css/theme-default.min.css', '/libs/jquery-1.10.0.min.js', '/images/icon-vm.png', - '/kimchi-ui.html', '/login-window.html', '/logout'] for uri in uris: diff --git a/ui/js/src/kimchi.main.js b/ui/js/src/kimchi.main.js index 184029d..2a8f461 100644 --- a/ui/js/src/kimchi.main.js +++ b/ui/js/src/kimchi.main.js @@ -227,10 +227,7 @@ kimchi.main = function() { kimchi.previousAjax = ajaxSettings; $(".empty-when-logged-off").empty(); $(".remove-when-logged-off").remove(); - kimchi.window.open({ - url: 'login-window.html', - id: 'login-window-wrapper' - }); + document.location.href='login.html'; return; } else if((jqXHR['status'] == 0) && ("error"==jqXHR.statusText)) { -- 1.9.3
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> let cookie remember the last page. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> Signed-off-by: Yu Xin Huo <huoyuxin@linux.vnet.ibm.com> --- src/kimchi/root.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/kimchi/root.py b/src/kimchi/root.py index 5ec1cf5..9186486 100644 --- a/src/kimchi/root.py +++ b/src/kimchi/root.py @@ -93,7 +93,11 @@ def tabs(self, page, **kwargs): data['ui_dir'] = paths.ui_dir if page.endswith('.html'): - return template.render('tabs/' + page, data) + context = template.render('tabs/' + page, data) + cherrypy.response.cookie[ + "lastPage"] = "/#tabs/" + page.rstrip(".html") + cherrypy.response.cookie['lastPage']['path'] = '/' + return context raise cherrypy.HTTPError(404) @@ -115,9 +119,13 @@ def login(self, *args, **kwargs): password = kwargs.get('password') # forms base authentication if username is not None: - # UI can parser the redirect url by "next" query parameter - next_url = kwargs.get('next', "/") - next_url = next_url[0] if(type(next_url) is list) else next_url + next_url = cherrypy.request.cookie.get("lastPage") + if next_url is None: + # UI can parser the redirect url by "next" query parameter + next_url = kwargs.get('next', "/") + next_url = next_url[0] if(type(next_url) is list) else next_url + else: + next_url = next_url.value auth.login(username, password) raise cherrypy.HTTPRedirect(next_url, 303) else: -- 1.9.3
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> when username or password is wrong, come back to login page with an error message. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/auth.py | 19 +++++++++++++------ ui/pages/login.html.tmpl | 6 ++++++ 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index a38dbd3..9cb40d3 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -131,9 +131,8 @@ def _pam_conv(auth, query_list, userData=None): try: auth.authenticate() - except PAM.error, (resp, code): - msg_args = {'username': username, 'code': code} - raise OperationFailed("KCHAUTH0001E", msg_args) + except PAM.error: + raise return True @@ -196,9 +195,17 @@ def check_auth_httpba(): def login(username, password): - if not authenticate(username, password): - debug("User cannot be verified with the supplied password") - return None + try: + if not authenticate(username, password): + debug("User cannot be verified with the supplied password") + return None + except PAM.error, (resp, code): + if (cherrypy.request.path_info == "/login" and + not template.can_accept('application/json')): + raise cherrypy.HTTPRedirect("/login.html?error=userPassWrong", 303) + msg_args = {'username': username, 'code': code} + raise OperationFailed("KCHAUTH0001E", msg_args) + user = User(username) debug("User verified, establishing session") cherrypy.session.acquire_lock() diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl index 555430b..0e53041 100644 --- a/ui/pages/login.html.tmpl +++ b/ui/pages/login.html.tmpl @@ -70,8 +70,14 @@ function updateBtnLabel() { document.getElementById("login").style.display = "none"; document.getElementById("logging").style.display = ""; } +function setMessage() { + var err = "$getVar('data.error', '')"; + if(err=="userPassWrong") + document.getElementById("messUserPass").style.display = ""; +} function init() { setLang(); + setMessage(); } </script> </head> -- 1.9.3
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> When session timeout, come back to login page with an error message. When session logout, close session directly. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- src/kimchi/auth.py | 25 ++++++++++++++++++++++--- src/kimchi/config.py.in | 4 ++++ src/kimchi/server.py | 2 ++ ui/js/src/kimchi.main.js | 11 +++++++++-- ui/pages/login.html.tmpl | 2 ++ 5 files changed, 39 insertions(+), 5 deletions(-) diff --git a/src/kimchi/auth.py b/src/kimchi/auth.py index 9cb40d3..59889ed 100644 --- a/src/kimchi/auth.py +++ b/src/kimchi/auth.py @@ -161,7 +161,7 @@ def check_auth_session(): cherrypy.session.timeout * 60): cherrypy.session[USER_NAME] = None cherrypy.lib.sessions.expire() - raise cherrypy.HTTPError(401) + raise cherrypy.HTTPError(401, "sessionTimeout") else: cherrypy.session[REFRESH] = time.time() return True @@ -223,7 +223,7 @@ def logout(): cherrypy.session[USER_NAME] = None cherrypy.session[REFRESH] = 0 cherrypy.session.release_lock() - cherrypy.lib.sessions.expire() + cherrypy.lib.sessions.close() def has_permission(admin_methods): @@ -238,6 +238,7 @@ def has_permission(admin_methods): def kimchiauth(admin_methods=None): debug("Entering kimchiauth...") + session_missing = cherrypy.session.missing if check_auth_session(): if not has_permission(admin_methods): raise cherrypy.HTTPError(403) @@ -249,11 +250,29 @@ def kimchiauth(admin_methods=None): return # not a REST full request, redirect login page directly - if not template.can_accept('application/json'): + if ("Accept" in cherrypy.request.headers and + not template.can_accept('application/json')): redirect_login() + # from browser, and it stays on one page. + if session_missing and cherrypy.request.cookie.get("lastPage") is not None: + raise cherrypy.HTTPError(401, "sessionTimeout") + if not from_browser(): cherrypy.response.headers['WWW-Authenticate'] = 'Basic realm=kimchi' e = InvalidOperation('KCHAUTH0002E') raise cherrypy.HTTPError(401, e.message.encode('utf-8')) + + +def kimchisession(admin_methods=None): + session = cherrypy.request.cookie.get("kimchi") + last_page = cherrypy.request.cookie.get("lastPage") + headers = cherrypy.request.headers + authheader = headers.get('AUTHORIZATION') + # when client browser first login in, both the session and lastPage cookie + # are None. + # when session timeout, only session cookie is None. + if (session is None and last_page is None and authheader is None and + ("Accept" in headers and not template.can_accept('application/json'))): + redirect_login() diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index d4cbda0..f557516 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -179,6 +179,7 @@ class KimchiConfig(dict): 'tools.sessions.locking': 'explicit', 'tools.sessions.storage_type': 'ram', 'tools.sessions.timeout': SESSIONSTIMEOUT, + 'tools.kimchisession.on': True, 'tools.kimchiauth.on': False }, '/vnc_auto.html': { @@ -190,6 +191,9 @@ class KimchiConfig(dict): '/kimchi-ui.html': { 'tools.kimchiauth.on': True }, + '/login.html': { + 'tools.kimchisession.on': False, + }, '/data/screenshots': { 'tools.staticdir.on': True, 'tools.staticdir.dir': get_screenshot_path(), diff --git a/src/kimchi/server.py b/src/kimchi/server.py index 7344349..30140ce 100644 --- a/src/kimchi/server.py +++ b/src/kimchi/server.py @@ -77,6 +77,8 @@ def __init__(self, options): cherrypy.tools.nocache = cherrypy.Tool('on_end_resource', set_no_cache) cherrypy.tools.kimchiauth = cherrypy.Tool('before_handler', auth.kimchiauth) + cherrypy.tools.kimchisession = cherrypy.Tool('before_request_body', + auth.kimchisession) # Setting host to 127.0.0.1. This makes kimchi runs # as a localhost app, inaccessible to the outside # directly. You must go through the proxy. diff --git a/ui/js/src/kimchi.main.js b/ui/js/src/kimchi.main.js index 2a8f461..4dc57e5 100644 --- a/ui/js/src/kimchi.main.js +++ b/ui/js/src/kimchi.main.js @@ -138,7 +138,13 @@ kimchi.main = function() { */ var loadPage = function(url) { // Get the page content through Ajax and render it. - url && $('#main').load(url, function(responseText, textStatus, jqXHR) {}); + url && $('#main').load(url, function(responseText, textStatus, jqXHR) { + if (jqXHR['status'] === 401 || jqXHR['status'] === 303) { + var isSessionTimeout = jqXHR['responseText'].indexOf("sessionTimeout")!=-1; + document.location.href= isSessionTimeout ? 'login.html?error=sessionTimeout' : 'login.html'; + return; + } + }); }; /* @@ -223,11 +229,12 @@ kimchi.main = function() { } if (jqXHR['status'] === 401) { + var isSessionTimeout = jqXHR['responseText'].indexOf("sessionTimeout")!=-1; kimchi.user.showUser(false); kimchi.previousAjax = ajaxSettings; $(".empty-when-logged-off").empty(); $(".remove-when-logged-off").remove(); - document.location.href='login.html'; + document.location.href= isSessionTimeout ? 'login.html?error=sessionTimeout' : 'login.html'; return; } else if((jqXHR['status'] == 0) && ("error"==jqXHR.statusText)) { diff --git a/ui/pages/login.html.tmpl b/ui/pages/login.html.tmpl index 0e53041..1e80aad 100644 --- a/ui/pages/login.html.tmpl +++ b/ui/pages/login.html.tmpl @@ -74,6 +74,8 @@ function setMessage() { var err = "$getVar('data.error', '')"; if(err=="userPassWrong") document.getElementById("messUserPass").style.display = ""; + if(err=="sessionTimeout") + document.getElementById("messSession").style.display = ""; } function init() { setLang(); -- 1.9.3
Tested by Yu Xin Huo. On 6/12/2014 6:52 PM, shaohef@linux.vnet.ibm.com wrote:
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com>
V4 -> V5: fix the login bug after an error user/password input
V3 -> V4: improve the login page.
V2 -> V3: improve when to show timeout message
V1 -> V2: when username or password is wrong, back to login page with an error message. when session time out, back to login page with an error message.
ShaoHe Feng (5): create a new login page redirect the URL to login page when session timeout or first login when login successfully, redirect to the last page. login page prompts error when username or password is wrong login page prompts error when session timeout
src/kimchi/auth.py | 53 +++++++++++++++++---- src/kimchi/config.py.in | 7 +++ src/kimchi/root.py | 38 +++++++++++---- src/kimchi/server.py | 2 + tests/test_rest.py | 1 - ui/images/progressing.gif | Bin 0 -> 1152 bytes ui/js/src/kimchi.main.js | 14 ++++-- ui/pages/login.html.tmpl | 118 ++++++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 209 insertions(+), 24 deletions(-) create mode 100644 ui/images/progressing.gif create mode 100644 ui/pages/login.html.tmpl
From: ShaoHe Feng <shaohef@linux.vnet.ibm.com> change some config of cherrypy root. update the test case. Signed-off-by: ShaoHe Feng <shaohef@linux.vnet.ibm.com> --- tests/test_config.py.in | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/test_config.py.in b/tests/test_config.py.in index 4e4375b..572533a 100644 --- a/tests/test_config.py.in +++ b/tests/test_config.py.in @@ -104,6 +104,7 @@ class ConfigTests(unittest.TestCase): 'tools.sessions.locking': 'explicit', 'tools.sessions.storage_type': 'ram', 'tools.sessions.timeout': SESSIONSTIMEOUT, + 'tools.kimchisession.on': True, 'tools.kimchiauth.on': False }, '/vnc_auto.html': { @@ -112,6 +113,12 @@ class ConfigTests(unittest.TestCase): '/spice.html': { 'tools.kimchiauth.on': True }, + '/kimchi-ui.html': { + 'tools.kimchiauth.on': True + }, + '/login.html': { + 'tools.kimchisession.on': False, + }, '/css': { 'tools.staticdir.on': True, 'tools.staticdir.dir': '%s/ui/css' % paths.prefix, -- 1.9.3
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page. Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones. So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions. 1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this. 2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl". In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access. I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by. After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry? If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder. on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
I know it's a bit too late to send my opinion, but I thought we reached an agreement. I'm just a bit surprised that the agreement are so easily destroyed. on 2014/06/13 15:12, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones.
So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by.
After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry?
If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-- Zhou Zheng Sheng / 周征晟 E-mail: zhshzhou@linux.vnet.ibm.com Telephone: 86-10-82454397
First of all, what you are complaining about is a pretty, pretty small fraction of the overall login solution. For that fraction, the design is to back to the original url after user login from a session timeout. Shaohe's current implementation works well. what zhengsheng means is about how to improve it. On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. We have ever discussed several options, but we have not converged to a certain one. Let me continue to read to see what the 'ugly' you mean.
This solution works very well, it can always be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones.
Handling cookie back and forth is done by browser and web container. There will be always cookie, this is not an additional overhead. What shaohe does is only to get the current tab url. That is a quite small amount of code.
So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this.
This is server side redirect after form is submitted, at that time, client side has no code to run. Server side redirect browser directly to last page in login response, quite straight-forward. I do not think brower history will be a reliable solution. http://www.w3schools.com/js/js_window_history.asp
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access.
internal redirect will make browser url mismatch with the content. the current design will always keep url address its intended content, this is a virtue over internal redirect we should pursue. The ugly cookie is removed, but introduced *a much uglier* "refresh.html" and code in that html. To me, it is much more complicated.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by.
This is not to-be-abandoned solution. Adam, Aline, Shao He and I have discussed this in a team meeting. It is sent to mail list. all people subscribed to mail list should get it. It is already V5, it is reviewed enough.
After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry?
This is already V5, how can it be an RFC?
If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder.
Speed will always be most key to succeed for any organization. There is nothing broken, it works well. Improvement will never stop. Again, the overall solution is discussed across whole team in one of the Wed's team meeting. Cookie is the best way to store previousPage to reserve user context. If anyone see a better way than cookie for this issue, welcome to discuss with me. As zhengsheng point out, we need to try to improve that small bit of code to store previousPage into cookie. but again, it works well currently. But obviously, that is far from a justification to stop this patch from being merged.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
So your point is the proposed alternatives is uglier than the current one, and the current one can be improved. Firstly from the JS accessing browser history link you gave me, I don't see anywhere it says it's unreliable. The solution doesn't need to inspect the history, it just back needs to go back. Secondly you think "refresh.html" is uglier than cookie. It's actually not. A "refresh.html" only affects the login process, but the current cookie solution affects all requests and responses that is not related to login. The current solution works, but it is far from works well, and if you want to improve it by suppress sending the previous page cookie in AJAX requests and response, more hacks would be added in both front-end and back-end. This is not improving step by step. To improve step by step, the original direction should be correct and effective, but this is not. on 2014/06/13 17:24, Yu Xin Huo wrote:
First of all, what you are complaining about is a pretty, pretty small fraction of the overall login solution. For that fraction, the design is to back to the original url after user login from a session timeout. Shaohe's current implementation works well. what zhengsheng means is about how to improve it.
On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. We have ever discussed several options, but we have not converged to a certain one. Let me continue to read to see what the 'ugly' you mean.
This solution works very well, it can always be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones.
Handling cookie back and forth is done by browser and web container. There will be always cookie, this is not an additional overhead. What shaohe does is only to get the current tab url. That is a quite small amount of code.
So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this.
This is server side redirect after form is submitted, at that time, client side has no code to run. Server side redirect browser directly to last page in login response, quite straight-forward.
I do not think brower history will be a reliable solution. http://www.w3schools.com/js/js_window_history.asp
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access.
internal redirect will make browser url mismatch with the content. the current design will always keep url address its intended content, this is a virtue over internal redirect we should pursue.
The ugly cookie is removed, but introduced *a much uglier* "refresh.html" and code in that html. To me, it is much more complicated.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by.
This is not to-be-abandoned solution. Adam, Aline, Shao He and I have discussed this in a team meeting. It is sent to mail list. all people subscribed to mail list should get it. It is already V5, it is reviewed enough.
After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry?
This is already V5, how can it be an RFC?
If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder.
Speed will always be most key to succeed for any organization. There is nothing broken, it works well. Improvement will never stop.
Again, the overall solution is discussed across whole team in one of the Wed's team meeting. Cookie is the best way to store previousPage to reserve user context. If anyone see a better way than cookie for this issue, welcome to discuss with me.
As zhengsheng point out, we need to try to improve that small bit of code to store previousPage into cookie. but again, it works well currently. But obviously, that is far from a justification to stop this patch from being merged.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-- Zhou Zheng Sheng / 周征晟 E-mail: zhshzhou@linux.vnet.ibm.com Telephone: 86-10-82454397
So your point is the proposed alternatives is uglier than the current one, and the current one can be improved.
Firstly from the JS accessing browser history link you gave me, I don't see anywhere it says it's unreliable. The solution doesn't need to inspect the history, it just back needs to go back.
Secondly you think "refresh.html" is uglier than cookie. It's actually not. A "refresh.html" only affects the login process, but the current cookie solution affects all requests and responses that is not related to login. The current solution works, but it is far from works well, and if you want to improve it by suppress sending the previous page cookie in AJAX requests and response, more hacks would be added in both front-end and back-end. This is not improving step by step. To improve step by step, the original direction should be correct and effective, but this is not. Again, there will always cookie back and forth between browser and web container. It is handled automatically by browser and web container. What make you uncomfortable is that piece of code at server side to get
On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote: previousPage. Both client javascript and web container can set cookie. the previsousPage can also be set with javascript in client side, each time user go to a new tab, there is a callback, in the callback, previousPage can be set into cookie.
on 2014/06/13 17:24, Yu Xin Huo wrote:
First of all, what you are complaining about is a pretty, pretty small fraction of the overall login solution. For that fraction, the design is to back to the original url after user login from a session timeout. Shaohe's current implementation works well. what zhengsheng means is about how to improve it.
On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. We have ever discussed several options, but we have not converged to a certain one. Let me continue to read to see what the 'ugly' you mean.
This solution works very well, it can always be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones. Handling cookie back and forth is done by browser and web container. There will be always cookie, this is not an additional overhead. What shaohe does is only to get the current tab url. That is a quite small amount of code. So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this. This is server side redirect after form is submitted, at that time, client side has no code to run. Server side redirect browser directly to last page in login response, quite straight-forward.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access. internal redirect will make browser url mismatch with the content.
I do not think brower history will be a reliable solution. http://www.w3schools.com/js/js_window_history.asp the current design will always keep url address its intended content, this is a virtue over internal redirect we should pursue.
The ugly cookie is removed, but introduced *a much uglier* "refresh.html" and code in that html. To me, it is much more complicated.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by. This is not to-be-abandoned solution. Adam, Aline, Shao He and I have discussed this in a team meeting. It is sent to mail list. all people subscribed to mail list should get it. It is already V5, it is reviewed enough. After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry? This is already V5, how can it be an RFC? If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder. Speed will always be most key to succeed for any organization. There is nothing broken, it works well. Improvement will never stop.
Again, the overall solution is discussed across whole team in one of the Wed's team meeting. Cookie is the best way to store previousPage to reserve user context. If anyone see a better way than cookie for this issue, welcome to discuss with me.
As zhengsheng point out, we need to try to improve that small bit of code to store previousPage into cookie. but again, it works well currently. But obviously, that is far from a justification to stop this patch from being merged.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
On 06/13/2014 05:57 PM, Yu Xin Huo wrote:
On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote:
So your point is the proposed alternatives is uglier than the current one, and the current one can be improved.
Firstly from the JS accessing browser history link you gave me, I don't see anywhere it says it's unreliable. The solution doesn't need to inspect the history, it just back needs to go back.
Secondly you think "refresh.html" is uglier than cookie. It's actually not. A "refresh.html" only affects the login process, but the current cookie solution affects all requests and responses that is not related to login. The current solution works, but it is far from works well, and if you want to improve it by suppress sending the previous page cookie in AJAX requests and response, more hacks would be added in both front-end and back-end. This is not improving step by step. To improve step by step, the original direction should be correct and effective, but this is not. Again, there will always cookie back and forth between browser and web container. It is handled automatically by browser and web container. What make you uncomfortable is that piece of code at server side to get previousPage. I think browser to redirect seems more easy. But I not familiar with JS.
We have said let others to try it first as back-end redirect.
Both client javascript and web container can set cookie. the previsousPage can also be set with javascript in client side, each time user go to a new tab, there is a callback, in the callback, previousPage can be set into cookie.
on 2014/06/13 17:24, Yu Xin Huo wrote:
First of all, what you are complaining about is a pretty, pretty small fraction of the overall login solution. For that fraction, the design is to back to the original url after user login from a session timeout. Shaohe's current implementation works well. what zhengsheng means is about how to improve it.
On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. We have ever discussed several options, but we have not converged to a certain one. Let me continue to read to see what the 'ugly' you mean.
This solution works very well, it can always be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones. Handling cookie back and forth is done by browser and web container. There will be always cookie, this is not an additional overhead. What shaohe does is only to get the current tab url. That is a quite small amount of code. So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this. This is server side redirect after form is submitted, at that time, client side has no code to run. Server side redirect browser directly to last page in login response, quite straight-forward.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access. internal redirect will make browser url mismatch with the content.
I do not think brower history will be a reliable solution. http://www.w3schools.com/js/js_window_history.asp the current design will always keep url address its intended content, this is a virtue over internal redirect we should pursue.
The ugly cookie is removed, but introduced *a much uglier* "refresh.html" and code in that html. To me, it is much more complicated.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by. This is not to-be-abandoned solution. Adam, Aline, Shao He and I have discussed this in a team meeting. It is sent to mail list. all people subscribed to mail list should get it. It is already V5, it is reviewed enough. After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry? This is already V5, how can it be an RFC? If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder. Speed will always be most key to succeed for any organization. There is nothing broken, it works well. Improvement will never stop.
Again, the overall solution is discussed across whole team in one of the Wed's team meeting. Cookie is the best way to store previousPage to reserve user context. If anyone see a better way than cookie for this issue, welcome to discuss with me.
As zhengsheng point out, we need to try to improve that small bit of code to store previousPage into cookie. but again, it works well currently. But obviously, that is far from a justification to stop this patch from being merged.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
On 6/13/2014 6:05 PM, Sheldon wrote:
On 06/13/2014 05:57 PM, Yu Xin Huo wrote:
On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote:
So your point is the proposed alternatives is uglier than the current one, and the current one can be improved.
Firstly from the JS accessing browser history link you gave me, I don't see anywhere it says it's unreliable. The solution doesn't need to inspect the history, it just back needs to go back.
Secondly you think "refresh.html" is uglier than cookie. It's actually not. A "refresh.html" only affects the login process, but the current cookie solution affects all requests and responses that is not related to login. The current solution works, but it is far from works well, and if you want to improve it by suppress sending the previous page cookie in AJAX requests and response, more hacks would be added in both front-end and back-end. This is not improving step by step. To improve step by step, the original direction should be correct and effective, but this is not. Again, there will always cookie back and forth between browser and web container. It is handled automatically by browser and web container. What make you uncomfortable is that piece of code at server side to get previousPage. I think browser to redirect seems more easy. But I not familiar with JS. It is not browser redirect, it is still server side redirect, browser only get current tab url and store it into cookie.
We have said let others to try it first as back-end redirect.
Both client javascript and web container can set cookie. the previsousPage can also be set with javascript in client side, each time user go to a new tab, there is a callback, in the callback, previousPage can be set into cookie.
on 2014/06/13 17:24, Yu Xin Huo wrote:
First of all, what you are complaining about is a pretty, pretty small fraction of the overall login solution. For that fraction, the design is to back to the original url after user login from a session timeout. Shaohe's current implementation works well. what zhengsheng means is about how to improve it.
On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. We have ever discussed several options, but we have not converged to a certain one. Let me continue to read to see what the 'ugly' you mean.
This solution works very well, it can always be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones. Handling cookie back and forth is done by browser and web container. There will be always cookie, this is not an additional overhead. What shaohe does is only to get the current tab url. That is a quite small amount of code. So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this. This is server side redirect after form is submitted, at that time, client side has no code to run. Server side redirect browser directly to last page in login response, quite straight-forward.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access. internal redirect will make browser url mismatch with the content.
I do not think brower history will be a reliable solution. http://www.w3schools.com/js/js_window_history.asp the current design will always keep url address its intended content, this is a virtue over internal redirect we should pursue.
The ugly cookie is removed, but introduced *a much uglier* "refresh.html" and code in that html. To me, it is much more complicated.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by. This is not to-be-abandoned solution. Adam, Aline, Shao He and I have discussed this in a team meeting. It is sent to mail list. all people subscribed to mail list should get it. It is already V5, it is reviewed enough. After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry? This is already V5, how can it be an RFC? If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder. Speed will always be most key to succeed for any organization. There is nothing broken, it works well. Improvement will never stop.
Again, the overall solution is discussed across whole team in one of the Wed's team meeting. Cookie is the best way to store previousPage to reserve user context. If anyone see a better way than cookie for this issue, welcome to discuss with me.
As zhengsheng point out, we need to try to improve that small bit of code to store previousPage into cookie. but again, it works well currently. But obviously, that is far from a justification to stop this patch from being merged.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
on 2014/06/13 17:57, Yu Xin Huo wrote:
So your point is the proposed alternatives is uglier than the current one, and the current one can be improved.
Firstly from the JS accessing browser history link you gave me, I don't see anywhere it says it's unreliable. The solution doesn't need to inspect the history, it just back needs to go back.
Secondly you think "refresh.html" is uglier than cookie. It's actually not. A "refresh.html" only affects the login process, but the current cookie solution affects all requests and responses that is not related to login. The current solution works, but it is far from works well, and if you want to improve it by suppress sending the previous page cookie in AJAX requests and response, more hacks would be added in both front-end and back-end. This is not improving step by step. To improve step by step, the original direction should be correct and effective, but this is not. Again, there will always cookie back and forth between browser and web container. It is handled automatically by browser and web container. What make you uncomfortable is that piece of code at server side to get
On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote: previousPage.
Yes, but the previousPage cookie is unnecessary regardless if it's handled automatically or not. The alternative solutions we discussed can avoid this unnecessary handling, and restrict the login handling logic only to a small region of code and runtime process.
Both client javascript and web container can set cookie. the previsousPage can also be set with javascript in client side, each time user go to a new tab, there is a callback, in the callback, previousPage can be set into cookie.
But the previousPage cookie is still carried forth and back in normal requests, which is absolute redundant information, not to mention the troubles it causes when the user opens two firefox tabs accessing different page of Kimchi.
on 2014/06/13 17:24, Yu Xin Huo wrote:
First of all, what you are complaining about is a pretty, pretty small fraction of the overall login solution. For that fraction, the design is to back to the original url after user login from a session timeout. Shaohe's current implementation works well. what zhengsheng means is about how to improve it.
On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. We have ever discussed several options, but we have not converged to a certain one. Let me continue to read to see what the 'ugly' you mean.
This solution works very well, it can always be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones. Handling cookie back and forth is done by browser and web container. There will be always cookie, this is not an additional overhead. What shaohe does is only to get the current tab url. That is a quite small amount of code. So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this. This is server side redirect after form is submitted, at that time, client side has no code to run. Server side redirect browser directly to last page in login response, quite straight-forward.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access. internal redirect will make browser url mismatch with the content.
I do not think brower history will be a reliable solution. http://www.w3schools.com/js/js_window_history.asp the current design will always keep url address its intended content, this is a virtue over internal redirect we should pursue.
The ugly cookie is removed, but introduced *a much uglier* "refresh.html" and code in that html. To me, it is much more complicated.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by. This is not to-be-abandoned solution. Adam, Aline, Shao He and I have discussed this in a team meeting. It is sent to mail list. all people subscribed to mail list should get it. It is already V5, it is reviewed enough. After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry? This is already V5, how can it be an RFC? If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder. Speed will always be most key to succeed for any organization. There is nothing broken, it works well. Improvement will never stop.
Again, the overall solution is discussed across whole team in one of the Wed's team meeting. Cookie is the best way to store previousPage to reserve user context. If anyone see a better way than cookie for this issue, welcome to discuss with me.
As zhengsheng point out, we need to try to improve that small bit of code to store previousPage into cookie. but again, it works well currently. But obviously, that is far from a justification to stop this patch from being merged.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
on 2014/06/13 17:57, Yu Xin Huo wrote:
So your point is the proposed alternatives is uglier than the current one, and the current one can be improved.
Firstly from the JS accessing browser history link you gave me, I don't see anywhere it says it's unreliable. The solution doesn't need to inspect the history, it just back needs to go back.
Secondly you think "refresh.html" is uglier than cookie. It's actually not. A "refresh.html" only affects the login process, but the current cookie solution affects all requests and responses that is not related to login. The current solution works, but it is far from works well, and if you want to improve it by suppress sending the previous page cookie in AJAX requests and response, more hacks would be added in both front-end and back-end. This is not improving step by step. To improve step by step, the original direction should be correct and effective, but this is not. Again, there will always cookie back and forth between browser and web container. It is handled automatically by browser and web container. What make you uncomfortable is that piece of code at server side to get
On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote: previousPage. Yes, but the previousPage cookie is unnecessary regardless if it's handled automatically or not. The alternative solutions we discussed can avoid this unnecessary handling, and restrict the login handling logic only to a small region of code and runtime process.
On 6/13/2014 6:07 PM, Zhou Zheng Sheng wrote: there are 2 alternative solutions you proposed: 1. brower history -- unreliable as I replied. 2. internal redirect -- 1. make browser url mismatch its content, it is desirable to make browser url truly address it intended content. 2. after login, server response back a refresh.html with javascript to reload browser, this refresh.html need to be pasted to browser to get that javascript to run. user will definitely perceive this page switch, make it a bad experience. 3. Compare with a single cookie attribute, there are must more side effects.
Both client javascript and web container can set cookie. the previsousPage can also be set with javascript in client side, each time user go to a new tab, there is a callback, in the callback, previousPage can be set into cookie. But the previousPage cookie is still carried forth and back in normal requests, which is absolute redundant information, not to mention the troubles it causes when the user opens two firefox tabs accessing different page of Kimchi.
Cookie will always be sent back and forth regardless of our previousPage url. What trouble you mean when multiple browser tabs, please clarify.
on 2014/06/13 17:24, Yu Xin Huo wrote:
First of all, what you are complaining about is a pretty, pretty small fraction of the overall login solution. For that fraction, the design is to back to the original url after user login from a session timeout. Shaohe's current implementation works well. what zhengsheng means is about how to improve it.
On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. We have ever discussed several options, but we have not converged to a certain one. Let me continue to read to see what the 'ugly' you mean.
This solution works very well, it can always be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones. Handling cookie back and forth is done by browser and web container. There will be always cookie, this is not an additional overhead. What shaohe does is only to get the current tab url. That is a quite small amount of code. So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this. This is server side redirect after form is submitted, at that time, client side has no code to run. Server side redirect browser directly to last page in login response, quite straight-forward.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access. internal redirect will make browser url mismatch with the content.
I do not think brower history will be a reliable solution. http://www.w3schools.com/js/js_window_history.asp the current design will always keep url address its intended content, this is a virtue over internal redirect we should pursue.
The ugly cookie is removed, but introduced *a much uglier* "refresh.html" and code in that html. To me, it is much more complicated.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by. This is not to-be-abandoned solution. Adam, Aline, Shao He and I have discussed this in a team meeting. It is sent to mail list. all people subscribed to mail list should get it. It is already V5, it is reviewed enough. After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry? This is already V5, how can it be an RFC? If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder. Speed will always be most key to succeed for any organization. There is nothing broken, it works well. Improvement will never stop.
Again, the overall solution is discussed across whole team in one of the Wed's team meeting. Cookie is the best way to store previousPage to reserve user context. If anyone see a better way than cookie for this issue, welcome to discuss with me.
As zhengsheng point out, we need to try to improve that small bit of code to store previousPage into cookie. but again, it works well currently. But obviously, that is far from a justification to stop this patch from being merged.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
on 2014/06/13 18:47, Yu Xin Huo wrote:
on 2014/06/13 17:57, Yu Xin Huo wrote:
So your point is the proposed alternatives is uglier than the current one, and the current one can be improved.
Firstly from the JS accessing browser history link you gave me, I don't see anywhere it says it's unreliable. The solution doesn't need to inspect the history, it just back needs to go back.
Secondly you think "refresh.html" is uglier than cookie. It's actually not. A "refresh.html" only affects the login process, but the current cookie solution affects all requests and responses that is not related to login. The current solution works, but it is far from works well, and if you want to improve it by suppress sending the previous page cookie in AJAX requests and response, more hacks would be added in both front-end and back-end. This is not improving step by step. To improve step by step, the original direction should be correct and effective, but this is not. Again, there will always cookie back and forth between browser and web container. It is handled automatically by browser and web container. What make you uncomfortable is that piece of code at server side to get
On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote: previousPage. Yes, but the previousPage cookie is unnecessary regardless if it's handled automatically or not. The alternative solutions we discussed can avoid this unnecessary handling, and restrict the login handling logic only to a small region of code and runtime process.
On 6/13/2014 6:07 PM, Zhou Zheng Sheng wrote: there are 2 alternative solutions you proposed:
1. brower history -- unreliable as I replied.
1. You are correct
2. internal redirect -- 1. make browser url mismatch its content, it is desirable to make browser url truly address it intended content. 2. after login, server response back a refresh.html with javascript to reload browser, this refresh.html need to be pasted to browser to get that javascript to run. user will definitely perceive this page switch, make it a bad experience. 3. Compare with a single cookie attribute, there are must more side effects.
2. There are plenty of ways to improve internal redirect method and eliminate the need for "refresh.html". Option 2.1. Upon unauthenticated access, back-end internal redirects to "login.html". The POST action of the form send the current page URI to the back-end as well, then after the /login URI handler authenticates the user, it fetches the "Referer" header of the request, and this header contains the original page URL, then back-ends uses internal redirect or HTTP 3xx redirect to present the original page content. Option 2.2. Upon unauthenticated access, back-end internal redirects to "login.html". The form in the "login.html" contains a hidden input indicating the current URI. Then the JS in "login.html" fills this hidden input upon successfully loading the page. So the POST action of the form send the current page URI to the back-end as well, then after the /login URI handler authenticates the user, it uses internal or HTTP 3xx redirect to lead the processing flow back to the original URI. Option 2.3. Upon unauthenticated access, back-end internal redirects to "login.html". "login.html" does not use traditional HTTP POST form, instead, it uses /login API call to login using AJAX invocation, upon successful login, "login.html" refreshes the page. Actually "softlayer.com" is using some means of internal redirection to guide user to the previous page. You can try to open the following links. https://control.softlayer.com/account/invoices https://control.softlayer.com/account/orders You'll notice it returns a plain login page, after login, it triggers a refresh that the user doesn't notice at all. The page switch only happens in login process. Though you state cookie approach as "single cookie attribute", but it gets transferred in every request and response even the AJAX ones. It's obvious which is more evil. There is also an inevitable bug in cookie approach. Say the user opens two firefox tabs, one is for VMs, the other is for StoragePool. Once the session is expired, and the user login in VMs, it may lead the user to StoragePools if StoragePools happens to be opened after VMs. Moreover, I didn't see any investigation on how other WEB sites does this. Though this is not my task, I just investigated softlayer to prove my point. I suggest anyone who works on this firstly do some research on the existing WEB sites and avoid re-inventing the wheel.
Both client javascript and web container can set cookie. the previsousPage can also be set with javascript in client side, each time user go to a new tab, there is a callback, in the callback, previousPage can be set into cookie. But the previousPage cookie is still carried forth and back in normal requests, which is absolute redundant information, not to mention the troubles it causes when the user opens two firefox tabs accessing different page of Kimchi.
Cookie will always be sent back and forth regardless of our previousPage url. What trouble you mean when multiple browser tabs, please clarify.
on 2014/06/13 17:24, Yu Xin Huo wrote:
First of all, what you are complaining about is a pretty, pretty small fraction of the overall login solution. For that fraction, the design is to back to the original url after user login from a session timeout. Shaohe's current implementation works well. what zhengsheng means is about how to improve it.
On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. We have ever discussed several options, but we have not converged to a certain one. Let me continue to read to see what the 'ugly' you mean.
This solution works very well, it can always be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones. Handling cookie back and forth is done by browser and web container. There will be always cookie, this is not an additional overhead. What shaohe does is only to get the current tab url. That is a quite small amount of code. So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this. This is server side redirect after form is submitted, at that time, client side has no code to run. Server side redirect browser directly to last page in login response, quite straight-forward.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access. internal redirect will make browser url mismatch with the content.
I do not think brower history will be a reliable solution. http://www.w3schools.com/js/js_window_history.asp the current design will always keep url address its intended content, this is a virtue over internal redirect we should pursue.
The ugly cookie is removed, but introduced *a much uglier* "refresh.html" and code in that html. To me, it is much more complicated.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by. This is not to-be-abandoned solution. Adam, Aline, Shao He and I have discussed this in a team meeting. It is sent to mail list. all people subscribed to mail list should get it. It is already V5, it is reviewed enough. After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry? This is already V5, how can it be an RFC? If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder. Speed will always be most key to succeed for any organization. There is nothing broken, it works well. Improvement will never stop.
Again, the overall solution is discussed across whole team in one of the Wed's team meeting. Cookie is the best way to store previousPage to reserve user context. If anyone see a better way than cookie for this issue, welcome to discuss with me.
As zhengsheng point out, we need to try to improve that small bit of code to store previousPage into cookie. but again, it works well currently. But obviously, that is far from a justification to stop this patch from being merged.
on 2014/06/13 05:50, Aline Manera wrote: > Applied. Thanks. > > Regards, > > Aline Manera > > _______________________________________________ > Kimchi-devel mailing list > Kimchi-devel@ovirt.org > http://lists.ovirt.org/mailman/listinfo/kimchi-devel >
-- Zhou Zheng Sheng / 周征晟 E-mail: zhshzhou@linux.vnet.ibm.com Telephone: 86-10-82454397
On 6/16/2014 11:33 AM, Zhou Zheng Sheng wrote: > on 2014/06/13 18:47, Yu Xin Huo wrote: >> On 6/13/2014 6:07 PM, Zhou Zheng Sheng wrote: >>> on 2014/06/13 17:57, Yu Xin Huo wrote: >>>> On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote: >>>>> So your point is the proposed alternatives is uglier than the current >>>>> one, and the current one can be improved. >>>>> >>>>> Firstly from the JS accessing browser history link you gave me, I don't >>>>> see anywhere it says it's unreliable. The solution doesn't need to >>>>> inspect the history, it just back needs to go back. >>>>> >>>>> Secondly you think "refresh.html" is uglier than cookie. It's actually >>>>> not. A "refresh.html" only affects the login process, but the current >>>>> cookie solution affects all requests and responses that is not related >>>>> to login. The current solution works, but it is far from works well, >>>>> and >>>>> if you want to improve it by suppress sending the previous page cookie >>>>> in AJAX requests and response, more hacks would be added in both >>>>> front-end and back-end. This is not improving step by step. To improve >>>>> step by step, the original direction should be correct and effective, >>>>> but this is not. >>>> Again, there will always cookie back and forth between browser and web >>>> container. It is handled automatically by browser and web container. >>>> What make you uncomfortable is that piece of code at server side to get >>>> previousPage. >>> Yes, but the previousPage cookie is unnecessary regardless if it's >>> handled automatically or not. The alternative solutions we discussed can >>> avoid this unnecessary handling, and restrict the login handling logic >>> only to a small region of code and runtime process. >> there are 2 alternative solutions you proposed: >> >> 1. brower history >> -- unreliable as I replied. > 1. You are correct > >> 2. internal redirect >> -- 1. make browser url mismatch its content, it is >> desirable to make browser url truly address it intended content. >> 2. after login, server response back a refresh.html >> with javascript to reload browser, this refresh.html need to be pasted >> to browser to get that javascript to run. >> user will definitely perceive this page switch, >> make it a bad experience. >> 3. Compare with a single cookie attribute, there are >> must more side effects. > 2. There are plenty of ways to improve internal redirect method and > eliminate the need for "refresh.html". > > Option 2.1. Upon unauthenticated access, back-end internal redirects to > "login.html". The POST action of the form send the current page URI to > the back-end as well, then after the /login URI handler authenticates > the user, it fetches the "Referer" header of the request, and this > header contains the original page URL, then back-ends uses internal > redirect or HTTP 3xx redirect to present the original page content. "Referer" does not work. Please google search or try it yourself. > > Option 2.2. Upon unauthenticated access, back-end internal redirects to > "login.html". The form in the "login.html" contains a hidden input > indicating the current URI. Then the JS in "login.html" fills this > hidden input upon successfully loading the page. So the POST action of > the form send the current page URI to the back-end as well, then after > the /login URI handler authenticates the user, it uses internal or HTTP > 3xx redirect to lead the processing flow back to the original URI. If the first time I try to access kimchi with "https://xxx.xxx.xxx.xxx:8001/login.html", what will happen? > > Option 2.3. Upon unauthenticated access, back-end internal redirects to > "login.html". "login.html" does not use traditional HTTP POST form, > instead, it uses /login API call to login using AJAX invocation, upon > successful login, "login.html" refreshes the page. how to differentiate first time login and session timeout? > > Actually "softlayer.com" is using some means of internal redirection to > guide user to the previous page. You can try to open the following links. > https://control.softlayer.com/account/invoices > https://control.softlayer.com/account/orders > You'll notice it returns a plain login page, after login, it triggers a > refresh that the user doesn't notice at all. > > The page switch only happens in login process. Though you state cookie > approach as "single cookie attribute", but it gets transferred in every > request and response even the AJAX ones. It's obvious which is more > evil. There is also an inevitable bug in cookie approach. Say the user > opens two firefox tabs, one is for VMs, the other is for StoragePool. > Once the session is expired, and the user login in VMs, it may lead the > user to StoragePools if StoragePools happens to be opened after VMs. Quite easy to be solved, I believe there will be an event notification when switching tab. > > Moreover, I didn't see any investigation on how other WEB sites does > this. Though this is not my task, I just investigated softlayer to prove > my point. I suggest anyone who works on this firstly do some research on > the existing WEB sites and avoid re-inventing the wheel. Kimchi has its own problem and solution, others can be referenced, but not defined by them. > >>>> Both client javascript and web container can set cookie. >>>> the previsousPage can also be set with javascript in client side, >>>> each time user go to a new tab, there is a callback, in the callback, >>>> previousPage can be set into cookie. >>> But the previousPage cookie is still carried forth and back in normal >>> requests, which is absolute redundant information, not to mention the >>> troubles it causes when the user opens two firefox tabs accessing >>> different page of Kimchi. >> Cookie will always be sent back and forth regardless of our previousPage >> url. >> What trouble you mean when multiple browser tabs, please clarify. >> >>>>> on 2014/06/13 17:24, Yu Xin Huo wrote: >>>>>> First of all, what you are complaining about is a pretty, pretty small >>>>>> fraction of the overall login solution. >>>>>> For that fraction, the design is to back to the original url after >>>>>> user >>>>>> login from a session timeout. >>>>>> Shaohe's current implementation works well. what zhengsheng means is >>>>>> about how to improve it. >>>>>> >>>>>> On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote: >>>>>>> If I remembered correctly, Shao He, Yu Xin and me had several long >>>>>>> talks >>>>>>> on the login design. This solution is not the solution we agreed, and >>>>>>> all of us thought that this solution is ugly and obviously should be >>>>>>> improved. >>>>>> We have ever discussed several options, but we have not converged to a >>>>>> certain one. >>>>>> Let me continue to read to see what the 'ugly' you mean. >>>>>> >>>>>> This solution works very well, it can always be improved. >>>>>>> The problem is on how it redirects the user back to the previous page >>>>>>> after login. In this patch, the back-end has to intercepts each >>>>>>> access >>>>>>> to any of the ".html" page, and sets >>>>>>> cookie['lastPage'] = current page URI, >>>>>>> and return it to front-end, then the front-end sends this cookie to >>>>>>> back-end in every query, including AJAX query. When the session >>>>>>> expires, >>>>>>> the back-end redirects the front-end to a login page, after login >>>>>>> successfully, the back-end gets cookie['lastPage'], at last, redirect >>>>>>> the user to the last page. >>>>>>> >>>>>>> Just to implement returning to the previous page afte login, the >>>>>>> back-end has to intercept each '.html' access and sets cookie, and >>>>>>> the >>>>>>> front-end has to send the cookie in each request including AJAX ones. >>>>>> Handling cookie back and forth is done by browser and web container. >>>>>> There will be always cookie, this is not an additional overhead. >>>>>> What shaohe does is only to get the current tab url. That is a quite >>>>>> small amount of code. >>>>>>> So in the last talk we agreed that a simpler and more effective >>>>>>> solution >>>>>>> should be used. We at least have two alternative solutions. >>>>>>> >>>>>>> 1. When session is expired, we redirect the user to login.html. After >>>>>>> login successfully, the JS script in the front-end asks the >>>>>>> browser to >>>>>>> go back to the previous page. Since the browser keeps a stack of page >>>>>>> histories, it should be easy to do this. >>>>>> This is server side redirect after form is submitted, at that time, >>>>>> client side has no code to run. >>>>>> Server side redirect browser directly to last page in login response, >>>>>> quite straight-forward. >>>>>> >>>>>> I do not think brower history will be a reliable solution. >>>>>> http://www.w3schools.com/js/js_window_history.asp >>>>>>> 2. When the back-end detects the session is expired or the user >>>>>>> hasn't >>>>>>> login yet, it uses internal redirect to present the "login.html". >>>>>>> From >>>>>>> the front-end point of view, an unauthenticated access to "GET >>>>>>> #tabs/vms.html" returns "login.html". After the user input his/her >>>>>>> password in the "login.html" and click "login", the back-end receives >>>>>>> the request, if the password is correct, it returns a >>>>>>> "refresh.html". In >>>>>>> "refresh.html" there is actually a small JS code to ask the >>>>>>> browser to >>>>>>> refresh the page. Since we are using internal redirect all the time, >>>>>>> the >>>>>>> page URI in the browser remains "#tabs/vms.html", so after the login, >>>>>>> just refreshing the page would lead user to the real "vms.html.tmpl". >>>>>>> >>>>>>> In the above two solutions, no ugly cookie is needed for each request >>>>>>> and response, and the back-end doesn't have to intercept each ".html" >>>>>>> access, but just has to intercept each unauthenticated access. >>>>>> internal redirect will make browser url mismatch with the content. >>>>>> the current design will always keep url address its intended content, >>>>>> this is a virtue over internal redirect we should pursue. >>>>>> >>>>>> The ugly cookie is removed, but introduced *a much uglier* >>>>>> "refresh.html" and code in that html. >>>>>> To me, it is much more complicated. >>>>>>> I don't know why Yu Xin and Shao He sent the to-be-abandoned solution >>>>>>> again to the mailing list. Patches were sent on 20:00 Chinese local >>>>>>> time, the patches got merged in 05:00 Chinese local time in the next >>>>>>> day. There is no other developer gets CCed. There is no reviewed-by. >>>>>> This is not to-be-abandoned solution. Adam, Aline, Shao He and I have >>>>>> discussed this in a team meeting. >>>>>> It is sent to mail list. all people subscribed to mail list should >>>>>> get it. >>>>>> It is already V5, it is reviewed enough. >>>>>>> After talked to Shao He this morning, he told me that we >>>>>>> determined to >>>>>>> defer this feature/task to seek a better solution. Shao He told me >>>>>>> that >>>>>>> they sent the patch as RFC, not aim to be a final solution. >>>>>>> However it >>>>>>> is a big misleading to other developers because there is no RFC in >>>>>>> the >>>>>>> patch title. There is even no reviewed-by. Is there any reason to >>>>>>> merge >>>>>>> it so hurry? >>>>>> This is already V5, how can it be an RFC? >>>>>>> If there was any time and task pressure, I think as an open source >>>>>>> project, the progress should have some flexibility. We should not >>>>>>> write >>>>>>> code for a known broken solution, while there is obvious alternative >>>>>>> solutions. This is very different from incremental development. In >>>>>>> incremental development, the direction and the solution is >>>>>>> correct, we >>>>>>> just completes the missing pieces step by step. In this case, the >>>>>>> solution and the framework itself is not so effective. Once it's >>>>>>> merged, >>>>>>> we started to rely on this, and changing and improving it would be >>>>>>> much >>>>>>> harder. >>>>>> Speed will always be most key to succeed for any organization. >>>>>> There is nothing broken, it works well. >>>>>> Improvement will never stop. >>>>>> >>>>>> Again, the overall solution is discussed across whole team in one >>>>>> of the >>>>>> Wed's team meeting. >>>>>> Cookie is the best way to store previousPage to reserve user >>>>>> context. If >>>>>> anyone see a better way than cookie for this issue, welcome to discuss >>>>>> with me. >>>>>> >>>>>> As zhengsheng point out, we need to try to improve that small bit of >>>>>> code to store previousPage into cookie. but again, it works well >>>>>> currently. >>>>>> But obviously, that is far from a justification to stop this patch >>>>>> from >>>>>> being merged. >>>>>>> on 2014/06/13 05:50, Aline Manera wrote: >>>>>>>> Applied. Thanks. >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> Aline Manera >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Kimchi-devel mailing list >>>>>>>> Kimchi-devel@ovirt.org >>>>>>>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel >>>>>>>> >> >
on 2014/06/16 15:53, Yu Xin Huo wrote: > On 6/16/2014 11:33 AM, Zhou Zheng Sheng wrote: >> on 2014/06/13 18:47, Yu Xin Huo wrote: >>> On 6/13/2014 6:07 PM, Zhou Zheng Sheng wrote: >>>> on 2014/06/13 17:57, Yu Xin Huo wrote: >>>>> On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote: >>>>>> So your point is the proposed alternatives is uglier than the current >>>>>> one, and the current one can be improved. >>>>>> >>>>>> Firstly from the JS accessing browser history link you gave me, I >>>>>> don't >>>>>> see anywhere it says it's unreliable. The solution doesn't need to >>>>>> inspect the history, it just back needs to go back. >>>>>> >>>>>> Secondly you think "refresh.html" is uglier than cookie. It's >>>>>> actually >>>>>> not. A "refresh.html" only affects the login process, but the current >>>>>> cookie solution affects all requests and responses that is not >>>>>> related >>>>>> to login. The current solution works, but it is far from works well, >>>>>> and >>>>>> if you want to improve it by suppress sending the previous page >>>>>> cookie >>>>>> in AJAX requests and response, more hacks would be added in both >>>>>> front-end and back-end. This is not improving step by step. To >>>>>> improve >>>>>> step by step, the original direction should be correct and effective, >>>>>> but this is not. >>>>> Again, there will always cookie back and forth between browser and web >>>>> container. It is handled automatically by browser and web container. >>>>> What make you uncomfortable is that piece of code at server side to >>>>> get >>>>> previousPage. >>>> Yes, but the previousPage cookie is unnecessary regardless if it's >>>> handled automatically or not. The alternative solutions we discussed >>>> can >>>> avoid this unnecessary handling, and restrict the login handling logic >>>> only to a small region of code and runtime process. >>> there are 2 alternative solutions you proposed: >>> >>> 1. brower history >>> -- unreliable as I replied. >> 1. You are correct >> >>> 2. internal redirect >>> -- 1. make browser url mismatch its content, it is >>> desirable to make browser url truly address it intended content. >>> 2. after login, server response back a refresh.html >>> with javascript to reload browser, this refresh.html need to be pasted >>> to browser to get that javascript to run. >>> user will definitely perceive this page switch, >>> make it a bad experience. >>> 3. Compare with a single cookie attribute, there >>> are >>> must more side effects. >> 2. There are plenty of ways to improve internal redirect method and >> eliminate the need for "refresh.html". >> >> Option 2.1. Upon unauthenticated access, back-end internal redirects to >> "login.html". The POST action of the form send the current page URI to >> the back-end as well, then after the /login URI handler authenticates >> the user, it fetches the "Referer" header of the request, and this >> header contains the original page URL, then back-ends uses internal >> redirect or HTTP 3xx redirect to present the original page content. > "Referer" does not work. Please google search or try it yourself. I tried it myself before I sent the previous mail, it works. The problem is that intermediate proxy may change it, or the user can configure firefox not sending it. It's not reliable, but it can served as the last means to get the related page. >> >> Option 2.2. Upon unauthenticated access, back-end internal redirects to >> "login.html". The form in the "login.html" contains a hidden input >> indicating the current URI. Then the JS in "login.html" fills this >> hidden input upon successfully loading the page. So the POST action of >> the form send the current page URI to the back-end as well, then after >> the /login URI handler authenticates the user, it uses internal or HTTP >> 3xx redirect to lead the processing flow back to the original URI. > If the first time I try to access kimchi with > "https://xxx.xxx.xxx.xxx:8001/login.html", what will happen? There is no https://xxx.xxx.xxx.xxx:8001/login.html, it is only served through internal redirect. The user can not directly access it. >> >> Option 2.3. Upon unauthenticated access, back-end internal redirects to >> "login.html". "login.html" does not use traditional HTTP POST form, >> instead, it uses /login API call to login using AJAX invocation, upon >> successful login, "login.html" refreshes the page. > how to differentiate first time login and session timeout? Before internal redirection, back-end can check if it is first time login or timeout, and sets an variable/title/label in the dynamic rendered "login.html". >> >> Actually "softlayer.com" is using some means of internal redirection to >> guide user to the previous page. You can try to open the following links. >> https://control.softlayer.com/account/invoices >> https://control.softlayer.com/account/orders >> You'll notice it returns a plain login page, after login, it triggers a >> refresh that the user doesn't notice at all. What do you think of softlayer.com ? >> >> The page switch only happens in login process. Though you state cookie >> approach as "single cookie attribute", but it gets transferred in every >> request and response even the AJAX ones. It's obvious which is more >> evil. There is also an inevitable bug in cookie approach. Say the user >> opens two firefox tabs, one is for VMs, the other is for StoragePool. >> Once the session is expired, and the user login in VMs, it may lead the >> user to StoragePools if StoragePools happens to be opened after VMs. > Quite easy to be solved, I believe there will be an event notification > when switching tab. The event notification is in the front-end, how do you send it to back-end? >> >> Moreover, I didn't see any investigation on how other WEB sites does >> this. Though this is not my task, I just investigated softlayer to prove >> my point. I suggest anyone who works on this firstly do some research on >> the existing WEB sites and avoid re-inventing the wheel. > Kimchi has its own problem and solution, others can be referenced, but > not defined by them. Yes. However I didn't said we should use the same mechanism as other sites, but I said exactly we can refer them. The problem is that the authors didn't referenced and analyzed other sites' solutions at all. At least I didn't see them in the commit message, email, wiki or offline discussion. Would you please tell me how many sites you referenced and why none of the existing solutions can not be used? Or you can just send me a link of you previous analysis. >> >>>>> Both client javascript and web container can set cookie. >>>>> the previsousPage can also be set with javascript in client side, >>>>> each time user go to a new tab, there is a callback, in the callback, >>>>> previousPage can be set into cookie. >>>> But the previousPage cookie is still carried forth and back in normal >>>> requests, which is absolute redundant information, not to mention the >>>> troubles it causes when the user opens two firefox tabs accessing >>>> different page of Kimchi. >>> Cookie will always be sent back and forth regardless of our previousPage >>> url. >>> What trouble you mean when multiple browser tabs, please clarify. >>> >>>>>> on 2014/06/13 17:24, Yu Xin Huo wrote: >>>>>>> First of all, what you are complaining about is a pretty, pretty >>>>>>> small >>>>>>> fraction of the overall login solution. >>>>>>> For that fraction, the design is to back to the original url after >>>>>>> user >>>>>>> login from a session timeout. >>>>>>> Shaohe's current implementation works well. what zhengsheng means is >>>>>>> about how to improve it. >>>>>>> >>>>>>> On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote: >>>>>>>> If I remembered correctly, Shao He, Yu Xin and me had several long >>>>>>>> talks >>>>>>>> on the login design. This solution is not the solution we >>>>>>>> agreed, and >>>>>>>> all of us thought that this solution is ugly and obviously >>>>>>>> should be >>>>>>>> improved. >>>>>>> We have ever discussed several options, but we have not converged >>>>>>> to a >>>>>>> certain one. >>>>>>> Let me continue to read to see what the 'ugly' you mean. >>>>>>> >>>>>>> This solution works very well, it can always be improved. >>>>>>>> The problem is on how it redirects the user back to the previous >>>>>>>> page >>>>>>>> after login. In this patch, the back-end has to intercepts each >>>>>>>> access >>>>>>>> to any of the ".html" page, and sets >>>>>>>> cookie['lastPage'] = current page URI, >>>>>>>> and return it to front-end, then the front-end sends this cookie to >>>>>>>> back-end in every query, including AJAX query. When the session >>>>>>>> expires, >>>>>>>> the back-end redirects the front-end to a login page, after login >>>>>>>> successfully, the back-end gets cookie['lastPage'], at last, >>>>>>>> redirect >>>>>>>> the user to the last page. >>>>>>>> >>>>>>>> Just to implement returning to the previous page afte login, the >>>>>>>> back-end has to intercept each '.html' access and sets cookie, and >>>>>>>> the >>>>>>>> front-end has to send the cookie in each request including AJAX >>>>>>>> ones. >>>>>>> Handling cookie back and forth is done by browser and web container. >>>>>>> There will be always cookie, this is not an additional overhead. >>>>>>> What shaohe does is only to get the current tab url. That is a quite >>>>>>> small amount of code. >>>>>>>> So in the last talk we agreed that a simpler and more effective >>>>>>>> solution >>>>>>>> should be used. We at least have two alternative solutions. >>>>>>>> >>>>>>>> 1. When session is expired, we redirect the user to login.html. >>>>>>>> After >>>>>>>> login successfully, the JS script in the front-end asks the >>>>>>>> browser to >>>>>>>> go back to the previous page. Since the browser keeps a stack of >>>>>>>> page >>>>>>>> histories, it should be easy to do this. >>>>>>> This is server side redirect after form is submitted, at that time, >>>>>>> client side has no code to run. >>>>>>> Server side redirect browser directly to last page in login >>>>>>> response, >>>>>>> quite straight-forward. >>>>>>> >>>>>>> I do not think brower history will be a reliable solution. >>>>>>> http://www.w3schools.com/js/js_window_history.asp >>>>>>>> 2. When the back-end detects the session is expired or the user >>>>>>>> hasn't >>>>>>>> login yet, it uses internal redirect to present the "login.html". >>>>>>>> From >>>>>>>> the front-end point of view, an unauthenticated access to "GET >>>>>>>> #tabs/vms.html" returns "login.html". After the user input his/her >>>>>>>> password in the "login.html" and click "login", the back-end >>>>>>>> receives >>>>>>>> the request, if the password is correct, it returns a >>>>>>>> "refresh.html". In >>>>>>>> "refresh.html" there is actually a small JS code to ask the >>>>>>>> browser to >>>>>>>> refresh the page. Since we are using internal redirect all the >>>>>>>> time, >>>>>>>> the >>>>>>>> page URI in the browser remains "#tabs/vms.html", so after the >>>>>>>> login, >>>>>>>> just refreshing the page would lead user to the real >>>>>>>> "vms.html.tmpl". >>>>>>>> >>>>>>>> In the above two solutions, no ugly cookie is needed for each >>>>>>>> request >>>>>>>> and response, and the back-end doesn't have to intercept each >>>>>>>> ".html" >>>>>>>> access, but just has to intercept each unauthenticated access. >>>>>>> internal redirect will make browser url mismatch with the content. >>>>>>> the current design will always keep url address its intended >>>>>>> content, >>>>>>> this is a virtue over internal redirect we should pursue. >>>>>>> >>>>>>> The ugly cookie is removed, but introduced *a much uglier* >>>>>>> "refresh.html" and code in that html. >>>>>>> To me, it is much more complicated. >>>>>>>> I don't know why Yu Xin and Shao He sent the to-be-abandoned >>>>>>>> solution >>>>>>>> again to the mailing list. Patches were sent on 20:00 Chinese local >>>>>>>> time, the patches got merged in 05:00 Chinese local time in the >>>>>>>> next >>>>>>>> day. There is no other developer gets CCed. There is no >>>>>>>> reviewed-by. >>>>>>> This is not to-be-abandoned solution. Adam, Aline, Shao He and I >>>>>>> have >>>>>>> discussed this in a team meeting. >>>>>>> It is sent to mail list. all people subscribed to mail list should >>>>>>> get it. >>>>>>> It is already V5, it is reviewed enough. >>>>>>>> After talked to Shao He this morning, he told me that we >>>>>>>> determined to >>>>>>>> defer this feature/task to seek a better solution. Shao He told me >>>>>>>> that >>>>>>>> they sent the patch as RFC, not aim to be a final solution. >>>>>>>> However it >>>>>>>> is a big misleading to other developers because there is no RFC in >>>>>>>> the >>>>>>>> patch title. There is even no reviewed-by. Is there any reason to >>>>>>>> merge >>>>>>>> it so hurry? >>>>>>> This is already V5, how can it be an RFC? >>>>>>>> If there was any time and task pressure, I think as an open source >>>>>>>> project, the progress should have some flexibility. We should not >>>>>>>> write >>>>>>>> code for a known broken solution, while there is obvious >>>>>>>> alternative >>>>>>>> solutions. This is very different from incremental development. In >>>>>>>> incremental development, the direction and the solution is >>>>>>>> correct, we >>>>>>>> just completes the missing pieces step by step. In this case, the >>>>>>>> solution and the framework itself is not so effective. Once it's >>>>>>>> merged, >>>>>>>> we started to rely on this, and changing and improving it would be >>>>>>>> much >>>>>>>> harder. >>>>>>> Speed will always be most key to succeed for any organization. >>>>>>> There is nothing broken, it works well. >>>>>>> Improvement will never stop. >>>>>>> >>>>>>> Again, the overall solution is discussed across whole team in one >>>>>>> of the >>>>>>> Wed's team meeting. >>>>>>> Cookie is the best way to store previousPage to reserve user >>>>>>> context. If >>>>>>> anyone see a better way than cookie for this issue, welcome to >>>>>>> discuss >>>>>>> with me. >>>>>>> >>>>>>> As zhengsheng point out, we need to try to improve that small bit of >>>>>>> code to store previousPage into cookie. but again, it works well >>>>>>> currently. >>>>>>> But obviously, that is far from a justification to stop this patch >>>>>>> from >>>>>>> being merged. >>>>>>>> on 2014/06/13 05:50, Aline Manera wrote: >>>>>>>>> Applied. Thanks. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> >>>>>>>>> Aline Manera >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Kimchi-devel mailing list >>>>>>>>> Kimchi-devel@ovirt.org >>>>>>>>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel >>>>>>>>> >>> >> > >
On 6/16/2014 4:23 PM, Zhou Zheng Sheng wrote: > on 2014/06/16 15:53, Yu Xin Huo wrote: >> On 6/16/2014 11:33 AM, Zhou Zheng Sheng wrote: >>> on 2014/06/13 18:47, Yu Xin Huo wrote: >>>> On 6/13/2014 6:07 PM, Zhou Zheng Sheng wrote: >>>>> on 2014/06/13 17:57, Yu Xin Huo wrote: >>>>>> On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote: >>>>>>> So your point is the proposed alternatives is uglier than the current >>>>>>> one, and the current one can be improved. >>>>>>> >>>>>>> Firstly from the JS accessing browser history link you gave me, I >>>>>>> don't >>>>>>> see anywhere it says it's unreliable. The solution doesn't need to >>>>>>> inspect the history, it just back needs to go back. >>>>>>> >>>>>>> Secondly you think "refresh.html" is uglier than cookie. It's >>>>>>> actually >>>>>>> not. A "refresh.html" only affects the login process, but the current >>>>>>> cookie solution affects all requests and responses that is not >>>>>>> related >>>>>>> to login. The current solution works, but it is far from works well, >>>>>>> and >>>>>>> if you want to improve it by suppress sending the previous page >>>>>>> cookie >>>>>>> in AJAX requests and response, more hacks would be added in both >>>>>>> front-end and back-end. This is not improving step by step. To >>>>>>> improve >>>>>>> step by step, the original direction should be correct and effective, >>>>>>> but this is not. >>>>>> Again, there will always cookie back and forth between browser and web >>>>>> container. It is handled automatically by browser and web container. >>>>>> What make you uncomfortable is that piece of code at server side to >>>>>> get >>>>>> previousPage. >>>>> Yes, but the previousPage cookie is unnecessary regardless if it's >>>>> handled automatically or not. The alternative solutions we discussed >>>>> can >>>>> avoid this unnecessary handling, and restrict the login handling logic >>>>> only to a small region of code and runtime process. >>>> there are 2 alternative solutions you proposed: >>>> >>>> 1. brower history >>>> -- unreliable as I replied. >>> 1. You are correct >>> >>>> 2. internal redirect >>>> -- 1. make browser url mismatch its content, it is >>>> desirable to make browser url truly address it intended content. >>>> 2. after login, server response back a refresh.html >>>> with javascript to reload browser, this refresh.html need to be pasted >>>> to browser to get that javascript to run. >>>> user will definitely perceive this page switch, >>>> make it a bad experience. >>>> 3. Compare with a single cookie attribute, there >>>> are >>>> must more side effects. >>> 2. There are plenty of ways to improve internal redirect method and >>> eliminate the need for "refresh.html". >>> >>> Option 2.1. Upon unauthenticated access, back-end internal redirects to >>> "login.html". The POST action of the form send the current page URI to >>> the back-end as well, then after the /login URI handler authenticates >>> the user, it fetches the "Referer" header of the request, and this >>> header contains the original page URL, then back-ends uses internal >>> redirect or HTTP 3xx redirect to present the original page content. >> "Referer" does not work. Please google search or try it yourself. > I tried it myself before I sent the previous mail, it works. The problem > is that intermediate proxy may change it, or the user can configure > firefox not sending it. It's not reliable, but it can served as the last > means to get the related page. Checked all types of requests, "referer" is always below in my env. If "referer" can work, I truly like it very much, that will save us a lot of complexity, can you paste a screen-shot of your env? > >>> Option 2.2. Upon unauthenticated access, back-end internal redirects to >>> "login.html". The form in the "login.html" contains a hidden input >>> indicating the current URI. Then the JS in "login.html" fills this >>> hidden input upon successfully loading the page. So the POST action of >>> the form send the current page URI to the back-end as well, then after >>> the /login URI handler authenticates the user, it uses internal or HTTP >>> 3xx redirect to lead the processing flow back to the original URI. >> If the first time I try to access kimchi with >> "https://xxx.xxx.xxx.xxx:8001/login.html", what will happen? > There is no https://xxx.xxx.xxx.xxx:8001/login.html, it is only served > through internal redirect. The user can not directly access it. For web resources at server side, static, dynamic, protected, unprotected, there will always be a url addressable way to load it. For your design, it completely relies on browser url which is quite easy for user to input anything. For fuzzing security testing or robustness testing, any malformed url maybe tried to check server response. If user does input below, for your option 2.2, it will be a dead loop that user will always see login page. Tester will be quite happy to found it. "https://xxx.xxx.xxx.xxx:8001/login.html" > >>> Option 2.3. Upon unauthenticated access, back-end internal redirects to >>> "login.html". "login.html" does not use traditional HTTP POST form, >>> instead, it uses /login API call to login using AJAX invocation, upon >>> successful login, "login.html" refreshes the page. >> how to differentiate first time login and session timeout? > Before internal redirection, back-end can check if it is first time > login or timeout, and sets an variable/title/label in the dynamic > rendered "login.html". I do not think there is a way to differentiate "user first time login" and "session timeout" by internal redirect. Can you clarity? > >>> Actually "softlayer.com" is using some means of internal redirection to >>> guide user to the previous page. You can try to open the following links. >>> https://control.softlayer.com/account/invoices >>> https://control.softlayer.com/account/orders >>> You'll notice it returns a plain login page, after login, it triggers a >>> refresh that the user doesn't notice at all. > What do you think of softlayer.com ? We have designed a complete, end to end "login/logout/user, pass wrong/session timeout/preserve meaningful user context" experience. And figured out a technical solution to support it. If you do see any better user experience that softlayer delivered than our current design. Feel free to point out. > >>> The page switch only happens in login process. Though you state cookie >>> approach as "single cookie attribute", but it gets transferred in every >>> request and response even the AJAX ones. It's obvious which is more >>> evil. There is also an inevitable bug in cookie approach. Say the user >>> opens two firefox tabs, one is for VMs, the other is for StoragePool. >>> Once the session is expired, and the user login in VMs, it may lead the >>> user to StoragePools if StoragePools happens to be opened after VMs. >> Quite easy to be solved, I believe there will be an event notification >> when switching tab. > The event notification is in the front-end, how do you send it to back-end? front end can also set cookie. > >>> Moreover, I didn't see any investigation on how other WEB sites does >>> this. Though this is not my task, I just investigated softlayer to prove >>> my point. I suggest anyone who works on this firstly do some research on >>> the existing WEB sites and avoid re-inventing the wheel. >> Kimchi has its own problem and solution, others can be referenced, but >> not defined by them. > Yes. However I didn't said we should use the same mechanism as other > sites, but I said exactly we can refer them. The problem is that the > authors didn't referenced and analyzed other sites' solutions at all. At > least I didn't see them in the commit message, email, wiki or offline > discussion. Would you please tell me how many sites you referenced and > why none of the existing solutions can not be used? Or you can just send > me a link of you previous analysis. I do not believe all web sites use internal-redirect to do login, why you only reference a website that use internal-redirect? If I do want to reference others, I will list the top 10 web sites in this world and check how they implement it. Now, only hotmail is available, checked that it is not internal-redirect In an enterprise environment, all applications, systems need to be integrated to enable single access control, single sign on. The whole login process of all apps is delegated to a central access manager, how can internal-redirect work in this case? > >>>>>> Both client javascript and web container can set cookie. >>>>>> the previsousPage can also be set with javascript in client side, >>>>>> each time user go to a new tab, there is a callback, in the callback, >>>>>> previousPage can be set into cookie. >>>>> But the previousPage cookie is still carried forth and back in normal >>>>> requests, which is absolute redundant information, not to mention the >>>>> troubles it causes when the user opens two firefox tabs accessing >>>>> different page of Kimchi. >>>> Cookie will always be sent back and forth regardless of our previousPage >>>> url. >>>> What trouble you mean when multiple browser tabs, please clarify. >>>> >>>>>>> on 2014/06/13 17:24, Yu Xin Huo wrote: >>>>>>>> First of all, what you are complaining about is a pretty, pretty >>>>>>>> small >>>>>>>> fraction of the overall login solution. >>>>>>>> For that fraction, the design is to back to the original url after >>>>>>>> user >>>>>>>> login from a session timeout. >>>>>>>> Shaohe's current implementation works well. what zhengsheng means is >>>>>>>> about how to improve it. >>>>>>>> >>>>>>>> On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote: >>>>>>>>> If I remembered correctly, Shao He, Yu Xin and me had several long >>>>>>>>> talks >>>>>>>>> on the login design. This solution is not the solution we >>>>>>>>> agreed, and >>>>>>>>> all of us thought that this solution is ugly and obviously >>>>>>>>> should be >>>>>>>>> improved. >>>>>>>> We have ever discussed several options, but we have not converged >>>>>>>> to a >>>>>>>> certain one. >>>>>>>> Let me continue to read to see what the 'ugly' you mean. >>>>>>>> >>>>>>>> This solution works very well, it can always be improved. >>>>>>>>> The problem is on how it redirects the user back to the previous >>>>>>>>> page >>>>>>>>> after login. In this patch, the back-end has to intercepts each >>>>>>>>> access >>>>>>>>> to any of the ".html" page, and sets >>>>>>>>> cookie['lastPage'] = current page URI, >>>>>>>>> and return it to front-end, then the front-end sends this cookie to >>>>>>>>> back-end in every query, including AJAX query. When the session >>>>>>>>> expires, >>>>>>>>> the back-end redirects the front-end to a login page, after login >>>>>>>>> successfully, the back-end gets cookie['lastPage'], at last, >>>>>>>>> redirect >>>>>>>>> the user to the last page. >>>>>>>>> >>>>>>>>> Just to implement returning to the previous page afte login, the >>>>>>>>> back-end has to intercept each '.html' access and sets cookie, and >>>>>>>>> the >>>>>>>>> front-end has to send the cookie in each request including AJAX >>>>>>>>> ones. >>>>>>>> Handling cookie back and forth is done by browser and web container. >>>>>>>> There will be always cookie, this is not an additional overhead. >>>>>>>> What shaohe does is only to get the current tab url. That is a quite >>>>>>>> small amount of code. >>>>>>>>> So in the last talk we agreed that a simpler and more effective >>>>>>>>> solution >>>>>>>>> should be used. We at least have two alternative solutions. >>>>>>>>> >>>>>>>>> 1. When session is expired, we redirect the user to login.html. >>>>>>>>> After >>>>>>>>> login successfully, the JS script in the front-end asks the >>>>>>>>> browser to >>>>>>>>> go back to the previous page. Since the browser keeps a stack of >>>>>>>>> page >>>>>>>>> histories, it should be easy to do this. >>>>>>>> This is server side redirect after form is submitted, at that time, >>>>>>>> client side has no code to run. >>>>>>>> Server side redirect browser directly to last page in login >>>>>>>> response, >>>>>>>> quite straight-forward. >>>>>>>> >>>>>>>> I do not think brower history will be a reliable solution. >>>>>>>> http://www.w3schools.com/js/js_window_history.asp >>>>>>>>> 2. When the back-end detects the session is expired or the user >>>>>>>>> hasn't >>>>>>>>> login yet, it uses internal redirect to present the "login.html". >>>>>>>>> From >>>>>>>>> the front-end point of view, an unauthenticated access to "GET >>>>>>>>> #tabs/vms.html" returns "login.html". After the user input his/her >>>>>>>>> password in the "login.html" and click "login", the back-end >>>>>>>>> receives >>>>>>>>> the request, if the password is correct, it returns a >>>>>>>>> "refresh.html". In >>>>>>>>> "refresh.html" there is actually a small JS code to ask the >>>>>>>>> browser to >>>>>>>>> refresh the page. Since we are using internal redirect all the >>>>>>>>> time, >>>>>>>>> the >>>>>>>>> page URI in the browser remains "#tabs/vms.html", so after the >>>>>>>>> login, >>>>>>>>> just refreshing the page would lead user to the real >>>>>>>>> "vms.html.tmpl". >>>>>>>>> >>>>>>>>> In the above two solutions, no ugly cookie is needed for each >>>>>>>>> request >>>>>>>>> and response, and the back-end doesn't have to intercept each >>>>>>>>> ".html" >>>>>>>>> access, but just has to intercept each unauthenticated access. >>>>>>>> internal redirect will make browser url mismatch with the content. >>>>>>>> the current design will always keep url address its intended >>>>>>>> content, >>>>>>>> this is a virtue over internal redirect we should pursue. >>>>>>>> >>>>>>>> The ugly cookie is removed, but introduced *a much uglier* >>>>>>>> "refresh.html" and code in that html. >>>>>>>> To me, it is much more complicated. >>>>>>>>> I don't know why Yu Xin and Shao He sent the to-be-abandoned >>>>>>>>> solution >>>>>>>>> again to the mailing list. Patches were sent on 20:00 Chinese local >>>>>>>>> time, the patches got merged in 05:00 Chinese local time in the >>>>>>>>> next >>>>>>>>> day. There is no other developer gets CCed. There is no >>>>>>>>> reviewed-by. >>>>>>>> This is not to-be-abandoned solution. Adam, Aline, Shao He and I >>>>>>>> have >>>>>>>> discussed this in a team meeting. >>>>>>>> It is sent to mail list. all people subscribed to mail list should >>>>>>>> get it. >>>>>>>> It is already V5, it is reviewed enough. >>>>>>>>> After talked to Shao He this morning, he told me that we >>>>>>>>> determined to >>>>>>>>> defer this feature/task to seek a better solution. Shao He told me >>>>>>>>> that >>>>>>>>> they sent the patch as RFC, not aim to be a final solution. >>>>>>>>> However it >>>>>>>>> is a big misleading to other developers because there is no RFC in >>>>>>>>> the >>>>>>>>> patch title. There is even no reviewed-by. Is there any reason to >>>>>>>>> merge >>>>>>>>> it so hurry? >>>>>>>> This is already V5, how can it be an RFC? >>>>>>>>> If there was any time and task pressure, I think as an open source >>>>>>>>> project, the progress should have some flexibility. We should not >>>>>>>>> write >>>>>>>>> code for a known broken solution, while there is obvious >>>>>>>>> alternative >>>>>>>>> solutions. This is very different from incremental development. In >>>>>>>>> incremental development, the direction and the solution is >>>>>>>>> correct, we >>>>>>>>> just completes the missing pieces step by step. In this case, the >>>>>>>>> solution and the framework itself is not so effective. Once it's >>>>>>>>> merged, >>>>>>>>> we started to rely on this, and changing and improving it would be >>>>>>>>> much >>>>>>>>> harder. >>>>>>>> Speed will always be most key to succeed for any organization. >>>>>>>> There is nothing broken, it works well. >>>>>>>> Improvement will never stop. >>>>>>>> >>>>>>>> Again, the overall solution is discussed across whole team in one >>>>>>>> of the >>>>>>>> Wed's team meeting. >>>>>>>> Cookie is the best way to store previousPage to reserve user >>>>>>>> context. If >>>>>>>> anyone see a better way than cookie for this issue, welcome to >>>>>>>> discuss >>>>>>>> with me. >>>>>>>> >>>>>>>> As zhengsheng point out, we need to try to improve that small bit of >>>>>>>> code to store previousPage into cookie. but again, it works well >>>>>>>> currently. >>>>>>>> But obviously, that is far from a justification to stop this patch >>>>>>>> from >>>>>>>> being merged. >>>>>>>>> on 2014/06/13 05:50, Aline Manera wrote: >>>>>>>>>> Applied. Thanks. >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> >>>>>>>>>> Aline Manera >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Kimchi-devel mailing list >>>>>>>>>> Kimchi-devel@ovirt.org >>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel >>>>>>>>>> >>
on 2014/06/16 19:46, Yu Xin Huo wrote:
> On 6/16/2014 4:23 PM, Zhou Zheng Sheng wrote:
>> on 2014/06/16 15:53, Yu Xin Huo wrote:
>>> On 6/16/2014 11:33 AM, Zhou Zheng Sheng wrote:
>>>> on 2014/06/13 18:47, Yu Xin Huo wrote:
>>>>> On 6/13/2014 6:07 PM, Zhou Zheng Sheng wrote:
>>>>>> on 2014/06/13 17:57, Yu Xin Huo wrote:
>>>>>>> On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote:
>>>>>>>> So your point is the proposed alternatives is uglier than the current
>>>>>>>> one, and the current one can be improved.
>>>>>>>>
>>>>>>>> Firstly from the JS accessing browser history link you gave me, I
>>>>>>>> don't
>>>>>>>> see anywhere it says it's unreliable. The solution doesn't need to
>>>>>>>> inspect the history, it just back needs to go back.
>>>>>>>>
>>>>>>>> Secondly you think "refresh.html" is uglier than cookie. It's
>>>>>>>> actually
>>>>>>>> not. A "refresh.html" only affects the login process, but the current
>>>>>>>> cookie solution affects all requests and responses that is not
>>>>>>>> related
>>>>>>>> to login. The current solution works, but it is far from works well,
>>>>>>>> and
>>>>>>>> if you want to improve it by suppress sending the previous page
>>>>>>>> cookie
>>>>>>>> in AJAX requests and response, more hacks would be added in both
>>>>>>>> front-end and back-end. This is not improving step by step. To
>>>>>>>> improve
>>>>>>>> step by step, the original direction should be correct and effective,
>>>>>>>> but this is not.
>>>>>>> Again, there will always cookie back and forth between browser and web
>>>>>>> container. It is handled automatically by browser and web container.
>>>>>>> What make you uncomfortable is that piece of code at server side to
>>>>>>> get
>>>>>>> previousPage.
>>>>>> Yes, but the previousPage cookie is unnecessary regardless if it's
>>>>>> handled automatically or not. The alternative solutions we discussed
>>>>>> can
>>>>>> avoid this unnecessary handling, and restrict the login handling logic
>>>>>> only to a small region of code and runtime process.
>>>>> there are 2 alternative solutions you proposed:
>>>>>
>>>>> 1. brower history
>>>>> -- unreliable as I replied.
>>>> 1. You are correct
>>>>
>>>>> 2. internal redirect
>>>>> -- 1. make browser url mismatch its content, it is
>>>>> desirable to make browser url truly address it intended content.
>>>>> 2. after login, server response back a refresh.html
>>>>> with javascript to reload browser, this refresh.html need to be pasted
>>>>> to browser to get that javascript to run.
>>>>> user will definitely perceive this page switch,
>>>>> make it a bad experience.
>>>>> 3. Compare with a single cookie attribute, there
>>>>> are
>>>>> must more side effects.
>>>> 2. There are plenty of ways to improve internal redirect method and
>>>> eliminate the need for "refresh.html".
>>>>
>>>> Option 2.1. Upon unauthenticated access, back-end internal redirects to
>>>> "login.html". The POST action of the form send the current page URI to
>>>> the back-end as well, then after the /login URI handler authenticates
>>>> the user, it fetches the "Referer" header of the request, and this
>>>> header contains the original page URL, then back-ends uses internal
>>>> redirect or HTTP 3xx redirect to present the original page content.
>>> "Referer" does not work. Please google search or try it yourself.
>> I tried it myself before I sent the previous mail, it works. The problem
>> is that intermediate proxy may change it, or the user can configure
>> firefox not sending it. It's not reliable, but it can served as the last
>> means to get the related page.
>
> Checked all types of requests, "referer" is always below in my env.
>
>
> If "referer" can work, I truly like it very much, that will save us a lot of
> complexity, can you paste a screen-shot of your env?
>
What exactly environment do you want? Firefox about:config or the debug
screen?
>>
>>>> Option 2.2. Upon unauthenticated access, back-end internal redirects to
>>>> "login.html". The form in the "login.html" contains a hidden input
>>>> indicating the current URI. Then the JS in "login.html" fills this
>>>> hidden input upon successfully loading the page. So the POST action of
>>>> the form send the current page URI to the back-end as well, then after
>>>> the /login URI handler authenticates the user, it uses internal or HTTP
>>>> 3xx redirect to lead the processing flow back to the original URI.
>>> If the first time I try to access kimchi with
>>> "https://xxx.xxx.xxx.xxx:8001/login.html", what will happen?
>> There is nohttps://xxx.xxx.xxx.xxx:8001/login.html, it is only served
>> through internal redirect. The user can not directly access it.
> For web resources at server side, static, dynamic, protected, unprotected, there
> will always be a url addressable way to load it.
> For your design, it completely relies on browser url which is quite easy for
> user to input anything.
> For fuzzing security testing or robustness testing, any malformed url maybe
> tried to check server response.
> If user does input below, for your option 2.2, it will be a dead loop that user
> will always see login page. Tester will be quite happy to found it.
>
> "https://xxx.xxx.xxx.xxx:8001/login.html"
>
There are some possible methods to solve this problem.
Firstly, in the above method, there is a hidden input field
"PreviousPage", which is filled by JS with the current URI. Then in the
back-end, after successful /login handling, just before it redirects the
user back, it checks if "PreviousPage" is "login.html", if yes,
redirects to the front page, otherwise redirects to "PreviousPage".
Actually in back-end, it's also possible to restrict a page to be
accessed only fron internal redirection. There are two possible ways to
do this.
a) Usually we use internal redirect as
internal_redirect("login.html"). Actually we can use
internal_redirect("login.html?from=internal"), then in login.html.tmpl,
it checks $data.from, if it is not from internal, it could hide the
content or uses JS to redirect the user to the front-page.
b) A more elegant way is to configure "login.html" as follow.
'/login.html': {tools.kimchi_restrict_internal.on: True},
Then in the function kimchi_restrict_internal(), it checks if
kimchi.request.prev is empty. If it's empty, it is accessed directly,
and we can raise 404. If it's not empty, it is accessed from
InternalRedirect.
>>
>>>> Option 2.3. Upon unauthenticated access, back-end internal redirects to
>>>> "login.html". "login.html" does not use traditional HTTP POST form,
>>>> instead, it uses /login API call to login using AJAX invocation, upon
>>>> successful login, "login.html" refreshes the page.
>>> how to differentiate first time login and session timeout?
>> Before internal redirection, back-end can check if it is first time
>> login or timeout, and sets an variable/title/label in the dynamic
>> rendered "login.html".
> I do not think there is a way to differentiate "user first time login" and
> "session timeout" by internal redirect.
> Can you clarity?
If it's the first time user accesses Kimchi, back-end would create a new
session cookie. And Kimchi does not set cherrypy session timout,
instead, it expire the session by itself. This is because it needs to
differentiate robot requests from normal requests. So the back-end
actually knows if a session is created the first time or it's expired.
>>
>>>> Actually "softlayer.com" is using some means of internal redirection to
>>>> guide user to the previous page. You can try to open the following links.
>>>> https://control.softlayer.com/account/invoices
>>>> https://control.softlayer.com/account/orders
>>>> You'll notice it returns a plain login page, after login, it triggers a
>>>> refresh that the user doesn't notice at all.
>> What do you think of softlayer.com ?
> We have designed a complete, end to end "login/logout/user, pass wrong/session
> timeout/preserve meaningful user context" experience.
> And figured out a technical solution to support it.
> If you do see any better user experience that softlayer delivered than our
> current design. Feel free to point out.
If you really checked softlayer.com . It implements the things you
required. For example, if the user does not take action for some time,
it redirects the browser to the login page and says session timeout.
>>
>>>> The page switch only happens in login process. Though you state cookie
>>>> approach as "single cookie attribute", but it gets transferred in every
>>>> request and response even the AJAX ones. It's obvious which is more
>>>> evil. There is also an inevitable bug in cookie approach. Say the user
>>>> opens two firefox tabs, one is for VMs, the other is for StoragePool.
>>>> Once the session is expired, and the user login in VMs, it may lead the
>>>> user to StoragePools if StoragePools happens to be opened after VMs.
>>> Quite easy to be solved, I believe there will be an event notification
>>> when switching tab.
>> The event notification is in the front-end, how do you send it to back-end?
> front end can also set cookie.
Exactly, so why you have the back-end record the previous page? If you
are really staying with the cookie approach, we can create an common
html page to be included by other pages, sets the previous page cookie
whenever it gets loaded. It seems kimchi-ui.tmpl already serves as this
purpose. I'm not a front-end expert, you can correct me if I didn't
understand it right.
In fact the redirection can be done solely in the front-end. The
back-end has no interests in the previous page. The front-end can use
the HTM5 local storage feature. The front-end can record the current
page URI in the local storage (of cause except login.html), then in
login.html, it uses login API call to authenticate, then it fetches the
previous page from the local storage and go back to it. In this way we
avoid the complexity in back-end and avoid extra cookie in each AJAX
request and response.
>>
>>>> Moreover, I didn't see any investigation on how other WEB sites does
>>>> this. Though this is not my task, I just investigated softlayer to prove
>>>> my point. I suggest anyone who works on this firstly do some research on
>>>> the existing WEB sites and avoid re-inventing the wheel.
>>> Kimchi has its own problem and solution, others can be referenced, but
>>> not defined by them.
>> Yes. However I didn't said we should use the same mechanism as other
>> sites, but I said exactly we can refer them. The problem is that the
>> authors didn't referenced and analyzed other sites' solutions at all. At
>> least I didn't see them in the commit message, email, wiki or offline
>> discussion. Would you please tell me how many sites you referenced and
>> why none of the existing solutions can not be used? Or you can just send
>> me a link of you previous analysis.
> I do not believe all web sites use internal-redirect to do login, why you only
> reference a website that use internal-redirect?
> If I do want to reference others, I will list the top 10 web sites in this world
> and check how they implement it.
>
> Now, only hotmail is available, checked that it is not internal-redirect
>
>
> In an enterprise environment, all applications, systems need to be integrated to
> enable single access control, single sign on.
> The whole login process of all apps is delegated to a central access manager,
> how can internal-redirect work in this case?
>
Then you can state your investigation on how top 10 sites does login,
and checks if they uses the "previous page" cookie solution. I don't
believe top 10 sites uses "previous page" cookie solution for just a
login handling.
Furthermore, there is nothing prevent internal redirect solution to be
integrated with single sign on or ldap.
For example, whether or not the login.html is served by internal
redirect, the actual auth handling is in Kimchi back-end. The Kimchi
login API call or login POST handler can pass the auth to an LDAP server.
I also has done some work on single sign on before. Usually the single
sign on is on the different URI of the login.html. When the browser gets
a token from the central access manager, it can be redirected to
https://kimchi:8001/sso?token=XXXX. Then the sso handler of Kimchi can
check the token with the central manager or check the token in the
back-end which is sets by the central manager in other means.
>>
>>>>>>> Both client javascript and web container can set cookie.
>>>>>>> the previsousPage can also be set with javascript in client side,
>>>>>>> each time user go to a new tab, there is a callback, in the callback,
>>>>>>> previousPage can be set into cookie.
>>>>>> But the previousPage cookie is still carried forth and back in normal
>>>>>> requests, which is absolute redundant information, not to mention the
>>>>>> troubles it causes when the user opens two firefox tabs accessing
>>>>>> different page of Kimchi.
>>>>> Cookie will always be sent back and forth regardless of our previousPage
>>>>> url.
>>>>> What trouble you mean when multiple browser tabs, please clarify.
>>>>>
>>>>>>>> on 2014/06/13 17:24, Yu Xin Huo wrote:
>>>>>>>>> First of all, what you are complaining about is a pretty, pretty
>>>>>>>>> small
>>>>>>>>> fraction of the overall login solution.
>>>>>>>>> For that fraction, the design is to back to the original url after
>>>>>>>>> user
>>>>>>>>> login from a session timeout.
>>>>>>>>> Shaohe's current implementation works well. what zhengsheng means is
>>>>>>>>> about how to improve it.
>>>>>>>>>
>>>>>>>>> On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote:
>>>>>>>>>> If I remembered correctly, Shao He, Yu Xin and me had several long
>>>>>>>>>> talks
>>>>>>>>>> on the login design. This solution is not the solution we
>>>>>>>>>> agreed, and
>>>>>>>>>> all of us thought that this solution is ugly and obviously
>>>>>>>>>> should be
>>>>>>>>>> improved.
>>>>>>>>> We have ever discussed several options, but we have not converged
>>>>>>>>> to a
>>>>>>>>> certain one.
>>>>>>>>> Let me continue to read to see what the 'ugly' you mean.
>>>>>>>>>
>>>>>>>>> This solution works very well, it can always be improved.
>>>>>>>>>> The problem is on how it redirects the user back to the previous
>>>>>>>>>> page
>>>>>>>>>> after login. In this patch, the back-end has to intercepts each
>>>>>>>>>> access
>>>>>>>>>> to any of the ".html" page, and sets
>>>>>>>>>> cookie['lastPage'] = current page URI,
>>>>>>>>>> and return it to front-end, then the front-end sends this cookie to
>>>>>>>>>> back-end in every query, including AJAX query. When the session
>>>>>>>>>> expires,
>>>>>>>>>> the back-end redirects the front-end to a login page, after login
>>>>>>>>>> successfully, the back-end gets cookie['lastPage'], at last,
>>>>>>>>>> redirect
>>>>>>>>>> the user to the last page.
>>>>>>>>>>
>>>>>>>>>> Just to implement returning to the previous page afte login, the
>>>>>>>>>> back-end has to intercept each '.html' access and sets cookie, and
>>>>>>>>>> the
>>>>>>>>>> front-end has to send the cookie in each request including AJAX
>>>>>>>>>> ones.
>>>>>>>>> Handling cookie back and forth is done by browser and web container.
>>>>>>>>> There will be always cookie, this is not an additional overhead.
>>>>>>>>> What shaohe does is only to get the current tab url. That is a quite
>>>>>>>>> small amount of code.
>>>>>>>>>> So in the last talk we agreed that a simpler and more effective
>>>>>>>>>> solution
>>>>>>>>>> should be used. We at least have two alternative solutions.
>>>>>>>>>>
>>>>>>>>>> 1. When session is expired, we redirect the user to login.html.
>>>>>>>>>> After
>>>>>>>>>> login successfully, the JS script in the front-end asks the
>>>>>>>>>> browser to
>>>>>>>>>> go back to the previous page. Since the browser keeps a stack of
>>>>>>>>>> page
>>>>>>>>>> histories, it should be easy to do this.
>>>>>>>>> This is server side redirect after form is submitted, at that time,
>>>>>>>>> client side has no code to run.
>>>>>>>>> Server side redirect browser directly to last page in login
>>>>>>>>> response,
>>>>>>>>> quite straight-forward.
>>>>>>>>>
>>>>>>>>> I do not think brower history will be a reliable solution.
>>>>>>>>> http://www.w3schools.com/js/js_window_history.asp
>>>>>>>>>> 2. When the back-end detects the session is expired or the user
>>>>>>>>>> hasn't
>>>>>>>>>> login yet, it uses internal redirect to present the "login.html".
>>>>>>>>>> From
>>>>>>>>>> the front-end point of view, an unauthenticated access to "GET
>>>>>>>>>> #tabs/vms.html" returns "login.html". After the user input his/her
>>>>>>>>>> password in the "login.html" and click "login", the back-end
>>>>>>>>>> receives
>>>>>>>>>> the request, if the password is correct, it returns a
>>>>>>>>>> "refresh.html". In
>>>>>>>>>> "refresh.html" there is actually a small JS code to ask the
>>>>>>>>>> browser to
>>>>>>>>>> refresh the page. Since we are using internal redirect all the
>>>>>>>>>> time,
>>>>>>>>>> the
>>>>>>>>>> page URI in the browser remains "#tabs/vms.html", so after the
>>>>>>>>>> login,
>>>>>>>>>> just refreshing the page would lead user to the real
>>>>>>>>>> "vms.html.tmpl".
>>>>>>>>>>
>>>>>>>>>> In the above two solutions, no ugly cookie is needed for each
>>>>>>>>>> request
>>>>>>>>>> and response, and the back-end doesn't have to intercept each
>>>>>>>>>> ".html"
>>>>>>>>>> access, but just has to intercept each unauthenticated access.
>>>>>>>>> internal redirect will make browser url mismatch with the content.
>>>>>>>>> the current design will always keep url address its intended
>>>>>>>>> content,
>>>>>>>>> this is a virtue over internal redirect we should pursue.
>>>>>>>>>
>>>>>>>>> The ugly cookie is removed, but introduced *a much uglier*
>>>>>>>>> "refresh.html" and code in that html.
>>>>>>>>> To me, it is much more complicated.
>>>>>>>>>> I don't know why Yu Xin and Shao He sent the to-be-abandoned
>>>>>>>>>> solution
>>>>>>>>>> again to the mailing list. Patches were sent on 20:00 Chinese local
>>>>>>>>>> time, the patches got merged in 05:00 Chinese local time in the
>>>>>>>>>> next
>>>>>>>>>> day. There is no other developer gets CCed. There is no
>>>>>>>>>> reviewed-by.
>>>>>>>>> This is not to-be-abandoned solution. Adam, Aline, Shao He and I
>>>>>>>>> have
>>>>>>>>> discussed this in a team meeting.
>>>>>>>>> It is sent to mail list. all people subscribed to mail list should
>>>>>>>>> get it.
>>>>>>>>> It is already V5, it is reviewed enough.
>>>>>>>>>> After talked to Shao He this morning, he told me that we
>>>>>>>>>> determined to
>>>>>>>>>> defer this feature/task to seek a better solution. Shao He told me
>>>>>>>>>> that
>>>>>>>>>> they sent the patch as RFC, not aim to be a final solution.
>>>>>>>>>> However it
>>>>>>>>>> is a big misleading to other developers because there is no RFC in
>>>>>>>>>> the
>>>>>>>>>> patch title. There is even no reviewed-by. Is there any reason to
>>>>>>>>>> merge
>>>>>>>>>> it so hurry?
>>>>>>>>> This is already V5, how can it be an RFC?
>>>>>>>>>> If there was any time and task pressure, I think as an open source
>>>>>>>>>> project, the progress should have some flexibility. We should not
>>>>>>>>>> write
>>>>>>>>>> code for a known broken solution, while there is obvious
>>>>>>>>>> alternative
>>>>>>>>>> solutions. This is very different from incremental development. In
>>>>>>>>>> incremental development, the direction and the solution is
>>>>>>>>>> correct, we
>>>>>>>>>> just completes the missing pieces step by step. In this case, the
>>>>>>>>>> solution and the framework itself is not so effective. Once it's
>>>>>>>>>> merged,
>>>>>>>>>> we started to rely on this, and changing and improving it would be
>>>>>>>>>> much
>>>>>>>>>> harder.
>>>>>>>>> Speed will always be most key to succeed for any organization.
>>>>>>>>> There is nothing broken, it works well.
>>>>>>>>> Improvement will never stop.
>>>>>>>>>
>>>>>>>>> Again, the overall solution is discussed across whole team in one
>>>>>>>>> of the
>>>>>>>>> Wed's team meeting.
>>>>>>>>> Cookie is the best way to store previousPage to reserve user
>>>>>>>>> context. If
>>>>>>>>> anyone see a better way than cookie for this issue, welcome to
>>>>>>>>> discuss
>>>>>>>>> with me.
>>>>>>>>>
>>>>>>>>> As zhengsheng point out, we need to try to improve that small bit of
>>>>>>>>> code to store previousPage into cookie. but again, it works well
>>>>>>>>> currently.
>>>>>>>>> But obviously, that is far from a justification to stop this patch
>>>>>>>>> from
>>>>>>>>> being merged.
>>>>>>>>>> on 2014/06/13 05:50, Aline Manera wrote:
>>>>>>>>>>> Applied. Thanks.
>>>>>>>>>>>
>>>>>>>>>>> Regards,
>>>>>>>>>>>
>>>>>>>>>>> Aline Manera
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Kimchi-devel mailing list
>>>>>>>>>>> Kimchi-devel@ovirt.org
>>>>>>>>>>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>>>>>>>>>>>
>>>
On 06/13/2014 05:57 PM, Yu Xin Huo wrote:
On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote:
So your point is the proposed alternatives is uglier than the current one, and the current one can be improved.
Firstly from the JS accessing browser history link you gave me, I don't see anywhere it says it's unreliable. The solution doesn't need to inspect the history, it just back needs to go back.
Secondly you think "refresh.html" is uglier than cookie. It's actually not. A "refresh.html" only affects the login process, but the current cookie solution affects all requests and responses that is not related to login. The current solution works, but it is far from works well, and if you want to improve it by suppress sending the previous page cookie in AJAX requests and response, more hacks would be added in both front-end and back-end. This is not improving step by step. To improve step by step, the original direction should be correct and effective, but this is not. Again, there will always cookie back and forth between browser and web container. It is handled automatically by browser and web container. What make you uncomfortable is that piece of code at server side to get previousPage.
Both client javascript and web container can set cookie. the previsousPage can also be set with javascript in client side, each time user go to a new tab, there is a callback, in the callback, previousPage can be set into cookie. I wonder can client redirect by browser history without cookies.
on 2014/06/13 17:24, Yu Xin Huo wrote:
First of all, what you are complaining about is a pretty, pretty small fraction of the overall login solution. For that fraction, the design is to back to the original url after user login from a session timeout. Shaohe's current implementation works well. what zhengsheng means is about how to improve it.
On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. We have ever discussed several options, but we have not converged to a certain one. Let me continue to read to see what the 'ugly' you mean.
This solution works very well, it can always be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones. Handling cookie back and forth is done by browser and web container. There will be always cookie, this is not an additional overhead. What shaohe does is only to get the current tab url. That is a quite small amount of code. So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this. This is server side redirect after form is submitted, at that time, client side has no code to run. Server side redirect browser directly to last page in login response, quite straight-forward.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access. internal redirect will make browser url mismatch with the content.
I do not think brower history will be a reliable solution. http://www.w3schools.com/js/js_window_history.asp the current design will always keep url address its intended content, this is a virtue over internal redirect we should pursue.
The ugly cookie is removed, but introduced *a much uglier* "refresh.html" and code in that html. To me, it is much more complicated.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by. This is not to-be-abandoned solution. Adam, Aline, Shao He and I have discussed this in a team meeting. It is sent to mail list. all people subscribed to mail list should get it. It is already V5, it is reviewed enough. After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry? This is already V5, how can it be an RFC? If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder. Speed will always be most key to succeed for any organization. There is nothing broken, it works well. Improvement will never stop.
Again, the overall solution is discussed across whole team in one of the Wed's team meeting. Cookie is the best way to store previousPage to reserve user context. If anyone see a better way than cookie for this issue, welcome to discuss with me.
As zhengsheng point out, we need to try to improve that small bit of code to store previousPage into cookie. but again, it works well currently. But obviously, that is far from a justification to stop this patch from being merged.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
On 6/13/2014 6:09 PM, Sheldon wrote:
On 06/13/2014 05:57 PM, Yu Xin Huo wrote:
On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote:
So your point is the proposed alternatives is uglier than the current one, and the current one can be improved.
Firstly from the JS accessing browser history link you gave me, I don't see anywhere it says it's unreliable. The solution doesn't need to inspect the history, it just back needs to go back.
Secondly you think "refresh.html" is uglier than cookie. It's actually not. A "refresh.html" only affects the login process, but the current cookie solution affects all requests and responses that is not related to login. The current solution works, but it is far from works well, and if you want to improve it by suppress sending the previous page cookie in AJAX requests and response, more hacks would be added in both front-end and back-end. This is not improving step by step. To improve step by step, the original direction should be correct and effective, but this is not. Again, there will always cookie back and forth between browser and web container. It is handled automatically by browser and web container. What make you uncomfortable is that piece of code at server side to get previousPage.
Both client javascript and web container can set cookie. the previsousPage can also be set with javascript in client side, each time user go to a new tab, there is a callback, in the callback, previousPage can be set into cookie. I wonder can client redirect by browser history without cookies. I have ever already stated that browser history is unreliable which definitely can not be adopted, please stop thinking about browser history.
Again, Brower history is at brower level, not application level. Read below, If session timeout, kimchi login page is presented. At this time, user go to www.google.com, searched something. Then user input kimchi url to login. If leverage brower history, then back to www.google.com.
on 2014/06/13 17:24, Yu Xin Huo wrote:
First of all, what you are complaining about is a pretty, pretty small fraction of the overall login solution. For that fraction, the design is to back to the original url after user login from a session timeout. Shaohe's current implementation works well. what zhengsheng means is about how to improve it.
On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. We have ever discussed several options, but we have not converged to a certain one. Let me continue to read to see what the 'ugly' you mean.
This solution works very well, it can always be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones. Handling cookie back and forth is done by browser and web container. There will be always cookie, this is not an additional overhead. What shaohe does is only to get the current tab url. That is a quite small amount of code. So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this. This is server side redirect after form is submitted, at that time, client side has no code to run. Server side redirect browser directly to last page in login response, quite straight-forward.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access. internal redirect will make browser url mismatch with the content.
I do not think brower history will be a reliable solution. http://www.w3schools.com/js/js_window_history.asp the current design will always keep url address its intended content, this is a virtue over internal redirect we should pursue.
The ugly cookie is removed, but introduced *a much uglier* "refresh.html" and code in that html. To me, it is much more complicated.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by. This is not to-be-abandoned solution. Adam, Aline, Shao He and I have discussed this in a team meeting. It is sent to mail list. all people subscribed to mail list should get it. It is already V5, it is reviewed enough. After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry? This is already V5, how can it be an RFC? If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder. Speed will always be most key to succeed for any organization. There is nothing broken, it works well. Improvement will never stop.
Again, the overall solution is discussed across whole team in one of the Wed's team meeting. Cookie is the best way to store previousPage to reserve user context. If anyone see a better way than cookie for this issue, welcome to discuss with me.
As zhengsheng point out, we need to try to improve that small bit of code to store previousPage into cookie. but again, it works well currently. But obviously, that is far from a justification to stop this patch from being merged.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
On 6/13/2014 5:45 PM, Zhou Zheng Sheng wrote:
So your point is the proposed alternatives is uglier than the current one, and the current one can be improved.
Firstly from the JS accessing browser history link you gave me, I don't see anywhere it says it's unreliable. The solution doesn't need to inspect the history, it just back needs to go back. Brower history is at brower level, not application level. Read below,
If session timeout, kimchi login page is presented. At this time, user go to www.google.com, searched something. Then user input kimchi url to login. If leverage brower history, then back to www.google.com.
Secondly you think "refresh.html" is uglier than cookie. It's actually not. A "refresh.html" only affects the login process, but the current cookie solution affects all requests and responses that is not related to login. The current solution works, but it is far from works well, and if you want to improve it by suppress sending the previous page cookie in AJAX requests and response, more hacks would be added in both front-end and back-end. This is not improving step by step. To improve step by step, the original direction should be correct and effective, but this is not.
on 2014/06/13 17:24, Yu Xin Huo wrote:
First of all, what you are complaining about is a pretty, pretty small fraction of the overall login solution. For that fraction, the design is to back to the original url after user login from a session timeout. Shaohe's current implementation works well. what zhengsheng means is about how to improve it.
On 6/13/2014 3:12 PM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. We have ever discussed several options, but we have not converged to a certain one. Let me continue to read to see what the 'ugly' you mean.
This solution works very well, it can always be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones. Handling cookie back and forth is done by browser and web container. There will be always cookie, this is not an additional overhead. What shaohe does is only to get the current tab url. That is a quite small amount of code. So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this. This is server side redirect after form is submitted, at that time, client side has no code to run. Server side redirect browser directly to last page in login response, quite straight-forward.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access. internal redirect will make browser url mismatch with the content.
I do not think brower history will be a reliable solution. http://www.w3schools.com/js/js_window_history.asp the current design will always keep url address its intended content, this is a virtue over internal redirect we should pursue.
The ugly cookie is removed, but introduced *a much uglier* "refresh.html" and code in that html. To me, it is much more complicated.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by. This is not to-be-abandoned solution. Adam, Aline, Shao He and I have discussed this in a team meeting. It is sent to mail list. all people subscribed to mail list should get it. It is already V5, it is reviewed enough. After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry? This is already V5, how can it be an RFC? If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder. Speed will always be most key to succeed for any organization. There is nothing broken, it works well. Improvement will never stop.
Again, the overall solution is discussed across whole team in one of the Wed's team meeting. Cookie is the best way to store previousPage to reserve user context. If anyone see a better way than cookie for this issue, welcome to discuss with me.
As zhengsheng point out, we need to try to improve that small bit of code to store previousPage into cookie. but again, it works well currently. But obviously, that is far from a justification to stop this patch from being merged.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
On 06/13/2014 04:12 AM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved.
I am not aware about ANY discuss you have just mentioned. ALL discussion related to patches/features **MUST BE DONE IN THE MAILING LIST** to the whole team be aware about it! And in a V5 patch, you have more than enough time to do it.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones.
So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by.
If I applied the patches I reviewed it!
After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry?
An RFC named as V5? A V5 patch set is to "be so hurry" for you??
If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder.
If you think you solution is better, send the patch!
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
On 06/14/2014 01:18 PM, Aline Manera wrote:
On 06/13/2014 04:12 AM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved.
I am not aware about ANY discuss you have just mentioned. ALL discussion related to patches/features **MUST BE DONE IN THE MAILING LIST OR DURING THE SCRUM MEETING** to the whole team be aware about it!
Sorry, I forgot to mention the scrum meeting
And in a V5 patch, you have more than enough time to do it.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones.
So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by.
If I applied the patches I reviewed it!
After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry?
An RFC named as V5? A V5 patch set is to "be so hurry" for you??
If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder.
If you think you solution is better, send the patch!
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
on 2014/06/15 00:18, Aline Manera wrote:
On 06/13/2014 04:12 AM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved.
I am not aware about ANY discuss you have just mentioned. ALL discussion related to patches/features **MUST BE DONE IN THE MAILING LIST** to the whole team be aware about it!
And in a V5 patch, you have more than enough time to do it.
Yes. The problem is that after a local discussion we reached an agreement and I trusted Shao He and Yu Xin who were actively work on this should have reflected the discussion result either in the patch or in the mail. Sorry for not sending the discussion to the mail list. I'd send my opinion to mail list every from now on.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones.
So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by.
If I applied the patches I reviewed it!
You are the boss ;-). However even if you thought the solution is acceptable, there was some new code in the v5 patch and it's worth getting reviewed by other developers.
After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry?
An RFC named as V5? A V5 patch set is to "be so hurry" for you??
Yes. It's so hurry. The fact is the solution of redirecting user back to previous page is not mature and I was strongly against it. As I said, Yu Xin and Shao He also thought it's bad. The v5 patch does not improve this at all. In fact I'd be curious on how it didn't get improved through 5 series of patches.There was also no investigation on how other sites does this. In my opinion, if it's not mature, we can split out the redirection part, and apply the rest part, so that it can be improved. By the way, I think the version count does not directly related to the completeness of a patch series. If it does not reach a certain point of maturity, we should improve it in new version. In other projects it's usual to see a patch gets updated to v8 v10 or even more. For example: [Qemu-devel] [PATCH v8 00/20] virtio endian-ambivalent target [Qemu-devel] [PATCH v10 1/6] block: round up file size to nearest sector [libvirt] [PATCH v8 0/4] Handling of undefine and r e define snapshots with VirtualBox 4.2 or higher http://gerrit.ovirt.org/#/c/28088/ v12 Final separation of IOProcess and RFH For this particular patch series, I think the redirecting part is very ugly, the rest part is good. At least we can split out and merge the rest, and improve the redirection mechanism. Consider this patch series contains lots of mechanism changes, it's normal to update more than 5 or 6 times to get it ready.
If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder.
If you think you solution is better, send the patch!
It's always cheap to change things in the design phase, then development phase. Once it's merged, new code starts to rely on it, and things would get harder to changes. I already expressed my opinion to the developers, and the redirection does not get improved even the patch was updated through 5 series. I'd always happy to help, but I'm lack of some front-end knowledge to do the UI part. However, don't knowing how to make a film does not mean that the audience can not give comments on the quality of the film. The same applies to patches. If you always say "If you think you solution is better, send the patch!", that's destroying the basis of code review. If your logic takes hold, there should be no code review at all, and to do one thing right, we just submit patches by patches and go in circles. The problem is that the authors of this patch series neither did any investigation on how other sites do login redirection nor tried any of the proposed alternatives. If there's something we all know it's important, but the current solution is evil, and the same thing has been solved by other WEB sites already, why we persisted on this solution and merged it so quickly? If we consider an open source project as a product, the code quality is an key point of this product, since its internal opens to everyone. Merging a patch is a declaration of admitting that the code quality reaches the common quality of this project. Yes, we can always improve, but, shouldn't we have some bottom line?
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-- Zhou Zheng Sheng / 周征晟 E-mail: zhshzhou@linux.vnet.ibm.com Telephone: 86-10-82454397
on 2014/06/15 00:18, Aline Manera wrote:
On 06/13/2014 04:12 AM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. I am not aware about ANY discuss you have just mentioned. ALL discussion related to patches/features **MUST BE DONE IN THE MAILING LIST** to the whole team be aware about it!
And in a V5 patch, you have more than enough time to do it.
Yes. The problem is that after a local discussion we reached an agreement and I trusted Shao He and Yu Xin who were actively work on this should have reflected the discussion result either in the patch or in the mail. Sorry for not sending the discussion to the mail list. I'd send my opinion to mail list every from now on. The agreement is that it worth a try, not as a final design.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones.
So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by. If I applied the patches I reviewed it!
You are the boss ;-). However even if you thought the solution is acceptable, there was some new code in the v5 patch and it's worth getting reviewed by other developers.
After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry? An RFC named as V5? A V5 patch set is to "be so hurry" for you??
Yes. It's so hurry. The fact is the solution of redirecting user back to previous page is not mature and I was strongly against it. As I said, Yu Xin and Shao He also thought it's bad. The v5 patch does not improve this at all. In fact I'd be curious on how it didn't get improved through 5 series of patches.There was also no investigation on how other sites does this. In my opinion, if it's not mature, we can split out the redirection part, and apply the rest part, so that it can be improved. I am not thinking it is bad, till now, I am still thinking cookie is the only way to support all the scenarios we want to support.
By the way, I think the version count does not directly related to the completeness of a patch series. If it does not reach a certain point of maturity, we should improve it in new version. In other projects it's usual to see a patch gets updated to v8 v10 or even more. For example:
[Qemu-devel] [PATCH v8 00/20] virtio endian-ambivalent target [Qemu-devel] [PATCH v10 1/6] block: round up file size to nearest sector [libvirt] [PATCH v8 0/4] Handling of undefine and r e define snapshots with VirtualBox 4.2 or higher http://gerrit.ovirt.org/#/c/28088/ v12 Final separation of IOProcess and RFH If you would like to reference engineering statistics from other
On 6/16/2014 12:12 PM, Zhou Zheng Sheng wrote: projects, please get their average patch version or the whole open source field's average patch versions. You intentionally to reference their several big version patches, it will mislead the whole team.
For this particular patch series, I think the redirecting part is very ugly, the rest part is good. At least we can split out and merge the rest, and improve the redirection mechanism. Consider this patch series contains lots of mechanism changes, it's normal to update more than 5 or 6 times to get it ready.
I did not get any justification at all to pursue to try to get a patch version as big as possible.
If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder. If you think you solution is better, send the patch!
It's always cheap to change things in the design phase, then development phase. Once it's merged, new code starts to rely on it, and things would get harder to changes. I already expressed my opinion to the developers, and the redirection does not get improved even the patch was updated through 5 series. I'd always happy to help, but I'm lack of some front-end knowledge to do the UI part. However, don't knowing how to make a film does not mean that the audience can not give comments on the quality of the film. The same applies to patches. If you always say "If you think you solution is better, send the patch!", that's destroying the basis of code review. If your logic takes hold, there should be no code review at all, and to do one thing right, we just submit patches by patches and go in circles.
Welcome your comment, please focus on the overall solution. Parts of the solution are inter-connected, pieces can not be separated. we always discuss pieces with the overall solution in mind, please also. Current design is as below: 1. user first time access a protected resource, redirect login page. 2. when session timeout, redirect user to login page with a message "session timeout, please re-login". 3. if anytime a wrong user/pass is provided, redirect back to login page with a message "username/password wrong." 4. if user login successfully, always redirect to the url that he intend to go originally. if you are truly interested to be involved, please think about the overall solution totally when you are challenging a piece. You do not need to code everything out so client side skill is not an excuse.
The problem is that the authors of this patch series neither did any investigation on how other sites do login redirection nor tried any of the proposed alternatives. If there's something we all know it's important, but the current solution is evil, and the same thing has been solved by other WEB sites already, why we persisted on this solution and merged it so quickly?
Before layout your own overall solution, please do not speak with assumption.
If we consider an open source project as a product, the code quality is an key point of this product, since its internal opens to everyone. Merging a patch is a declaration of admitting that the code quality reaches the common quality of this project. Yes, we can always improve, but, shouldn't we have some bottom line?
This is a design discussion, it has nothing to do with code quality, the current code support the design well.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
on 2014/06/16 16:34, Yu Xin Huo wrote:
On 6/16/2014 12:12 PM, Zhou Zheng Sheng wrote:
on 2014/06/15 00:18, Aline Manera wrote:
On 06/13/2014 04:12 AM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved. I am not aware about ANY discuss you have just mentioned. ALL discussion related to patches/features **MUST BE DONE IN THE MAILING LIST** to the whole team be aware about it!
And in a V5 patch, you have more than enough time to do it.
Yes. The problem is that after a local discussion we reached an agreement and I trusted Shao He and Yu Xin who were actively work on this should have reflected the discussion result either in the patch or in the mail. Sorry for not sending the discussion to the mail list. I'd send my opinion to mail list every from now on. The agreement is that it worth a try, not as a final design.
If you didn't try, how do you know which is better? If I remembered correctly, you agreed to try it and agreed that the current solution was too dirty.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones.
So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by. If I applied the patches I reviewed it!
You are the boss ;-). However even if you thought the solution is acceptable, there was some new code in the v5 patch and it's worth getting reviewed by other developers.
After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry? An RFC named as V5? A V5 patch set is to "be so hurry" for you??
Yes. It's so hurry. The fact is the solution of redirecting user back to previous page is not mature and I was strongly against it. As I said, Yu Xin and Shao He also thought it's bad. The v5 patch does not improve this at all. In fact I'd be curious on how it didn't get improved through 5 series of patches.There was also no investigation on how other sites does this. In my opinion, if it's not mature, we can split out the redirection part, and apply the rest part, so that it can be improved.
I am not thinking it is bad, till now, I am still thinking cookie is the only way to support all the scenarios we want to support.
By the way, I think the version count does not directly related to the completeness of a patch series. If it does not reach a certain point of maturity, we should improve it in new version. In other projects it's usual to see a patch gets updated to v8 v10 or even more. For example:
[Qemu-devel] [PATCH v8 00/20] virtio endian-ambivalent target [Qemu-devel] [PATCH v10 1/6] block: round up file size to nearest sector [libvirt] [PATCH v8 0/4] Handling of undefine and r e define snapshots with VirtualBox 4.2 or higher http://gerrit.ovirt.org/#/c/28088/ v12 Final separation of IOProcess and RFH
If you would like to reference engineering statistics from other projects, please get their average patch version or the whole open source field's average patch versions. You intentionally to reference their several big version patches, it will mislead the whole team.
No, my point is not that we should update so many version for each patch, instead, the point is for big mechanism change, a large version count is not rare. Just v5 does not gives it the justification to be mature, only the test discussion and code review on the code and solution does.
For this particular patch series, I think the redirecting part is very ugly, the rest part is good. At least we can split out and merge the rest, and improve the redirection mechanism. Consider this patch series contains lots of mechanism changes, it's normal to update more than 5 or 6 times to get it ready.
I did not get any justification at all to pursue to try to get a patch version as big as possible.
I did not said at all you should get a patch version as big as possible.
If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder. If you think you solution is better, send the patch!
It's always cheap to change things in the design phase, then development phase. Once it's merged, new code starts to rely on it, and things would get harder to changes. I already expressed my opinion to the developers, and the redirection does not get improved even the patch was updated through 5 series. I'd always happy to help, but I'm lack of some front-end knowledge to do the UI part. However, don't knowing how to make a film does not mean that the audience can not give comments on the quality of the film. The same applies to patches. If you always say "If you think you solution is better, send the patch!", that's destroying the basis of code review. If your logic takes hold, there should be no code review at all, and to do one thing right, we just submit patches by patches and go in circles.
Welcome your comment, please focus on the overall solution. Parts of the solution are inter-connected, pieces can not be separated. we always discuss pieces with the overall solution in mind, please also.
Current design is as below:
1. user first time access a protected resource, redirect login page. 2. when session timeout, redirect user to login page with a message "session timeout, please re-login". 3. if anytime a wrong user/pass is provided, redirect back to login page with a message "username/password wrong." 4. if user login successfully, always redirect to the url that he intend to go originally.
No. I don't see there is any trouble to split this piece out. You can always redirect the user back to the /host tab as a temp solution, then improve the redirection solution.
if you are truly interested to be involved, please think about the overall solution totally when you are challenging a piece. You do not need to code everything out so client side skill is not an excuse.
The fact is that I can only code the back-end, and my proposed solution involves front-end coding. If I didn't get help from the front-end, how can I submit patches? You didn't give a try on the alternative solution. If you did, I'm sure I can help with the back-end things.
The problem is that the authors of this patch series neither did any investigation on how other sites do login redirection nor tried any of the proposed alternatives. If there's something we all know it's important, but the current solution is evil, and the same thing has been solved by other WEB sites already, why we persisted on this solution and merged it so quickly?
Before layout your own overall solution, please do not speak with assumption.
I don't see any trouble of my proposed redirection solution to leave with the current one.
If we consider an open source project as a product, the code quality is an key point of this product, since its internal opens to everyone. Merging a patch is a declaration of admitting that the code quality reaches the common quality of this project. Yes, we can always improve, but, shouldn't we have some bottom line?
This is a design discussion, it has nothing to do with code quality, the current code support the design well.
Sorry for the misleading. By saying "code quality" I meant to say the design and code. I think my argument still takes hold if you consider the design.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
-- Zhou Zheng Sheng / 周征晟 E-mail: zhshzhou@linux.vnet.ibm.com Telephone: 86-10-82454397
Sheldon, Yu Xin: I identified 2 issues in this new flow 1) The username is not being displayed 2) When I access "https://localhost:8001/vnc_auto.html?port=64667&path=?token=Fedora&encrypt=1" without be logged in, I am redirected to the login page and after it I got the Guests tabs instead of the VM console The logic to do the proper redirect to the VM console is in kimchi.login_main() (ui/js/src/kimchi.login_window.js) I am wondering why we are not using it In the login.html.tmpl, we are using local functions to do the login, I think we need to call kimhi.login_main() instead have JS into login.html.tpml Please, send a patch for those issues AS SOON AS POSSIBLE as kimchi 1.2.1 will be released next Friday (June 20) Thanks, Aline Manera On 06/13/2014 04:12 AM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones.
So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by.
After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry?
If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
ÿØÿà
On 6/15/2014 12:38 AM, Aline Manera wrote:
Sheldon, Yu Xin:
I identified 2 issues in this new flow
1) The username is not being displayed
in login.html.tmpl, add one line code. function updateBtnLabel() { document.getElementById("login").style.display = "none"; document.getElementById("logging").style.display = ""; kimchi.user.setUserName(document.getElementById("username").value); } this line of code will store a 'username' attribute into cookie, for the left, original popup login window code will handle to add user name to UI.
2) When I access "https://localhost:8001/vnc_auto.html?port=64667&path=?token=Fedora&encrypt=1" without be logged in, I am redirected to the login page and after it I got the Guests tabs instead of the VM console
After some investigation, backend has not handled the first time user paste a url(vnc_auto.html or /#tabs/templates), For current design, the brower url will always taken as 'previousPage' and stored in cookie. Shao he will add code to handle it.
The logic to do the proper redirect to the VM console is in kimchi.login_main() (ui/js/src/kimchi.login_window.js) I am wondering why we are not using it In the login.html.tmpl, we are using local functions to do the login, I think we need to call kimhi.login_main() instead have JS into login.html.tpml
Some code there are bind to UI structure and can only apply to login popup, can not reused. As there are too few css/js code in current login.html, so leave it there, but it is quite easy to separate those code to js, css files.
Please, send a patch for those issues AS SOON AS POSSIBLE as kimchi 1.2.1 will be released next Friday (June 20)
Thanks, Aline Manera
On 06/13/2014 04:12 AM, Zhou Zheng Sheng wrote:
If I remembered correctly, Shao He, Yu Xin and me had several long talks on the login design. This solution is not the solution we agreed, and all of us thought that this solution is ugly and obviously should be improved.
The problem is on how it redirects the user back to the previous page after login. In this patch, the back-end has to intercepts each access to any of the ".html" page, and sets cookie['lastPage'] = current page URI, and return it to front-end, then the front-end sends this cookie to back-end in every query, including AJAX query. When the session expires, the back-end redirects the front-end to a login page, after login successfully, the back-end gets cookie['lastPage'], at last, redirect the user to the last page.
Just to implement returning to the previous page afte login, the back-end has to intercept each '.html' access and sets cookie, and the front-end has to send the cookie in each request including AJAX ones.
So in the last talk we agreed that a simpler and more effective solution should be used. We at least have two alternative solutions.
1. When session is expired, we redirect the user to login.html. After login successfully, the JS script in the front-end asks the browser to go back to the previous page. Since the browser keeps a stack of page histories, it should be easy to do this.
2. When the back-end detects the session is expired or the user hasn't login yet, it uses internal redirect to present the "login.html". From the front-end point of view, an unauthenticated access to "GET #tabs/vms.html" returns "login.html". After the user input his/her password in the "login.html" and click "login", the back-end receives the request, if the password is correct, it returns a "refresh.html". In "refresh.html" there is actually a small JS code to ask the browser to refresh the page. Since we are using internal redirect all the time, the page URI in the browser remains "#tabs/vms.html", so after the login, just refreshing the page would lead user to the real "vms.html.tmpl".
In the above two solutions, no ugly cookie is needed for each request and response, and the back-end doesn't have to intercept each ".html" access, but just has to intercept each unauthenticated access.
I don't know why Yu Xin and Shao He sent the to-be-abandoned solution again to the mailing list. Patches were sent on 20:00 Chinese local time, the patches got merged in 05:00 Chinese local time in the next day. There is no other developer gets CCed. There is no reviewed-by.
After talked to Shao He this morning, he told me that we determined to defer this feature/task to seek a better solution. Shao He told me that they sent the patch as RFC, not aim to be a final solution. However it is a big misleading to other developers because there is no RFC in the patch title. There is even no reviewed-by. Is there any reason to merge it so hurry?
If there was any time and task pressure, I think as an open source project, the progress should have some flexibility. We should not write code for a known broken solution, while there is obvious alternative solutions. This is very different from incremental development. In incremental development, the direction and the solution is correct, we just completes the missing pieces step by step. In this case, the solution and the framework itself is not so effective. Once it's merged, we started to rely on this, and changing and improving it would be much harder.
on 2014/06/13 05:50, Aline Manera wrote:
Applied. Thanks.
Regards,
Aline Manera
_______________________________________________ Kimchi-devel mailing list Kimchi-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/kimchi-devel
On 06/15/2014 12:38 AM, Aline Manera wrote:
2) When I access "https://localhost:8001/vnc_auto.html?port=64667&path=?token=Fedora&encrypt=1" without be logged in, I am redirected to the login page and after it I got the Guests tabs instead of the VM console
The logic to do the proper redirect to the VM console is in kimchi.login_main() (ui/js/src/kimchi.login_window.js) I am wondering why we are not using it
In the login.html.tmpl, we are using local functions to do the login, I think we need to call kimhi.login_main() instead have JS into login.html.tpml
Please, send a patch for those issues AS SOON AS POSSIBLE as kimchi 1.2.1 will be released next Friday (June 20)
Thanks, Aline Manera
see patch bug fix: redirect to the protected page after login -- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
On 06/15/2014 12:38 AM, Aline Manera wrote:
2) When I access "https://localhost:8001/vnc_auto.html?port=64667&path=?token=Fedora&encrypt=1" without be logged in, I am redirected to the login page and after it I got the Guests tabs instead of the VM console
The logic to do the proper redirect to the VM console is in kimchi.login_main() (ui/js/src/kimchi.login_window.js) I am wondering why we are not using it
In the login.html.tmpl, we are using local functions to do the login, I think we need to call kimhi.login_main() instead have JS into login.html.tpml
Please, send a patch for those issues AS SOON AS POSSIBLE as kimchi 1.2.1 will be released next Friday (June 20)
Thanks, Aline Manera see patch: [PATCH V3 0/2] bug fix: redirect to the protected page after login
-- Thanks and best regards! Sheldon Feng(冯少合)<shaohef@linux.vnet.ibm.com> IBM Linux Technology Center
participants (5)
-
Aline Manera -
shaohef@linux.vnet.ibm.com -
Sheldon
-
Yu Xin Huo -
Zhou Zheng Sheng