Check if user has logged in on client side

Question

Is there a safe way to check if the user has logged into the application rather than checking if "sid" cookie exists in user's machine ?

I want to allow the user to proceed on certain links on a page only if they have logged in.

I do the login validation on the server side but want to avoid the request trip.

Pure JS or JQuery solution would be appreciated.

Thank you.

You can create a cookie on server side validation, and then check for that cookie on client side with jquery. — Hemal, Feb 09 '16 at 12:43
Thank you for prompt reply. How safe is to check if sails.js sid session cookie exists for the user ? — Me Unagi, Feb 09 '16 at 12:44
https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie — epascarello, Feb 09 '16 at 12:45

Rino Raj · Accepted Answer · 2016-02-16T04:51:48.350

10

Please try this

Put this code after user first log in

jQuery(window).load(function() {
  sessionStorage.setItem('status','loggedIn') 
});

When ever user clicks a link you can check like

if (sessionStorage.getItem('status') != null))
    //redirect to page
}
else{
    //show validation message
}

edited Feb 16 '16 at 04:51

answered Feb 09 '16 at 12:46

Rino Raj

6,156
2
25
39

4

You should be aware that session storage is not shared across tabs. If the user does an 'open in new tab', the new tab won't have the session storage value. There are ways to copy session storage from one tab to another using local storage as an intermediatiary. See https://stackoverflow.com/questions/20325763/browser-sessionstorage-share-between-tabs – Connell.O'Donnell Feb 10 '21 at 16:30

score 4 · Answer 2 · answered Feb 09 '16 at 12:58

As you ask for a "safe way": No. You should always validate the user's session on the server side for all requests.

Something you could do though is to adapt the front end to the users current status. For example change the "Login"-Link to a "Logout"-Link. For this to work you could set some king of flag on the users machine. You could use the browser local storage for this (http://www.w3schools.com/html/html5_webstorage.asp).

Something else you could for example do is, to change the behavior of for example links:

$("a").click(function(e){
    if(localStorage.getItem("isLoggedIn") !== true) {
        e.preventDefault();
        // this prevents navigation and you can now do your js stuff here
    }
});

That answer should be the accepted one, for the question was how to do the check safely, and it is not possible indeed (client code cannot be trusted ; setting/reading a piece of information on the client, be it in/from a cookie, local storage, etc. is not going to change that). The security model relies on the client execution stack (eg. the browser, for instance) to not be tampered (ie. install a safe, open-source or trustable browser), and on the network stack as well (see middleman => https://) — chikamichi, Apr 15 '20 at 19:09

score 3 · Answer 3 · answered Aug 03 '19 at 22:17

if you are using ASP.Net Identity you can check it as follows

In Razor :

@inject SignInManager<ApplicationUser> SignInManager

@if (SignInManager.IsSignedIn(User))
        {
            <input type="hidden" id="logged" value="true" />
        }
        else
        {
            <input type="hidden" id="logged" value="false" />
        }

In JS:

function check() {
var signed = $('#logged').val();

if (signed === 'true') {
    //What you want to do
}
else {
    window.location.href = "/YourController/YourAction?ReturnUrl=/YourReturnUrl;
}
}

score 0 · Answer 4 · answered Oct 29 '18 at 10:00

It should 100% works

Put this code after user Login Page(Login page Nextpage)

jQuery(window).load(function() {
  sessionStorage.setItem('status','loggedIn') 
 });

When ever user clicks a link you can check any page with bellow code(Any page)

if (sessionStorage.getItem('status') != null){
//redirect to page
alert("Is Login : True");
 }
 else{
  //show validation message
 alert("Is Login : False");
 }

score 0 · Answer 5 · answered Mar 26 '19 at 15:42

In my opinion you should save to your local storage an authToken with it expirationDate and then check if it expired or not every time you request something (GET not included) and also validate with the server if the authToken is expired or not. 2 ways validation.

Client to client and client to server. Both would be matched correctly.

JorensM · Answer 6 · 2022-01-24T04:25:01.500

0

The solution is to store this information on the server as a session variable(using php), and then retrieving this information in javascript using ajax.

edited Jan 24 '22 at 04:25

answered Dec 04 '21 at 12:45

JorensM

115
2
11

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 04 '21 at 17:13

Check if user has logged in on client side

6 Answers6