Ajax Design Patterns by Michael Mahemoff

It’s Saturday afternoon, and Stuart is busy planning the evening’s activities. He visits a band listings web site, where he clicks on a map to zoom into his local area. Even though he has never visited the site before, a profile, which he can see on the top of the site is already being constructed. At this stage, the profile guesses at his location based on his actions so far. As he browses some of the jazz bands, the profile starts to show an increasing preference for jazz bands, and some of the ads reflect that. Since the jazz thing is a one-time idea, he goes into his profile and tweaks some of those genre preferences but leaves the location alone since the system’s guess was correct. Finally, he decides to make a booking, at which point he establishes a password for future access to the same profile including his address, which is posted back to the profile.

How can the user customize the site while deferring formal registration?

Accumulate bits of information on the user as they interact while deferring formal registration. As soon as the user visits the web site, a user account with auto-generated ID is immediately created for her and set in a cookie that will remain in the browser. It doesn’t matter if she never return; unused IDs can be cleared after a few months.

As the user interacts with the application, the account accumulates data. In many cases, the data is explicitly contributed by the user, and it’s advisable to expose this kind of information so that the user can actually populate it. In this way, the initial profile may be seen as a structure with lots of holes. Some holes are eventually filled out automatically and others by the user himself. The user is also free to correct any of the filled-in data at any time (Figure 17-2).

Figure 17-2. User Profile

Two particularly notable “holes” are a unique user identifier and a password. It is this combination of attributes that allows the user to access the profile from another machine or a different browser. They will also preserve the profile in the case that cookies are deleted from the user’s browser. So, while this pattern is generally about gradual accumulation of profile data, there remains a significant milestone in the user/application relationship—the moment at which user ID and password are established.

Do the user ID and password have to be provided simultaneously? No. Even that can be incremental as long as you make the email address the unique identifier. In fact, this is pretty common nowadays. Email is usually required anyway, and it’s unique, so why not make it the user ID? In the context of Lazy Registration, though, there’s an additional benefit, as the email might be accumulated in the natural flow of events—the site might add the user to an announcements list, for example. In some cases, the email might even be verified during this process.

Sceptics may wonder why a user would want to actively work with her profile. The answer was formulated in a web usability pattern called “Carrot and a Stick” (http://jerry.cs.uiuc.edu/~plop/plop99/proceedings/Kane/perzel_kane.pdf):

Thus, users will only enter information if there is a perceived benefit to them. There is plenty of evidence that this occurs—witness the social bookmarking phenomenon, where thousands of users make public their personal links. By exposing their profiles, many of those users are hoping the system will point them in the direction of related resources they have not yet heard of.

Some web sites have used this pattern for years, so what does it have to do with Ajax? Lazy Registration aims for a smooth approach in which the barrier is low for each new user contribution. For instance, you sign up for a web site’s mailing list, and your email is automatically added to your profile and shown on the side of the page. With Ajax, there’s no need to break the flow. No more “just go over there for a few minutes, then come back here, and if you’re lucky, you might be looking at something similar to what you can see now.” That’s a big win for web sites aiming to drop the barrier of registration, and it’s great for users, too.

It’s standard practice for web sites to collect data about users. The aim of this pattern is to empower them to contribute to this. Instead of covertly building up a corpus of data on a user, you invite him to add value to his own experience by contributing and maintaining the data himself.^[*]

Several technologies are involved in Lazy Registration:

The Ajax Shop Demo (http://ajaxify.com/shop) illustrates the kind of user interface described by this pattern (Figure 17-5).

Figure 17-5. Ajax Shop Demo

When you run the demo, you’ll notice a few things:

Figure 17-6. Ajax Shop Demo with email address and password entered

To keep things simple, it doesn’t actually use a persistent data store; all information is held in the session. That’s definitely not advisable for a real system, because you don’t want to store passwords and other sensitive data there. Also, it means that the user, in theory, could bypass the email verification by inspecting the cookie. Nevertheless, the application demonstrates Lazy Registration from the user’s perspective, and the underlying code provides some illustration of what’s required to develop such an application.

Following are some of the features and how they were achieved.

  function onAddItemClicked(item) {
    var vars = {
      command: 'add',
      item: item
    }
    ajaxCaller.postForXML("cart.phtml", vars, onCartResponse);
  }

  function onCartClearClicked( ) {
    var vars = {
      command: 'clear'
    }
    ajaxCaller.postForXML("cart.phtml", vars, onCartResponse);
  }

  $cart = $_SESSION['cart'];
  if (isset($_POST["command"]) && $_POST["command"]=="add") {
    $item = $_POST["item"];
    $cart->add($item);
  } else if (isset($_POST["command"]) && $_POST["command"]=="clear") {
    $cart->clear( );
  }

  header("Content-type: text/xml");
  echo "<cart>";
  $contents = $cart->getContents( );
  foreach (array_keys($contents) as $itemName) {
    echo "<item>";
    echo "<name>$itemName</name>";
    echo "<amount>".$contents[$itemName]."</amount>";
    echo "</item>";
  }
  echo "</cart>";

  <div>
    <div class="userLabel">Email:</div>
    <input type="text" id="email" name="email" />
  </div>
  ...
  <span id="cartMail">Mail Contents</span>
  ....
  $("cartMail").onclick = onCartMailClicked;

  vars = {
    command: "mailCart",
    email: email
  }
  ajaxCaller.postForPlainText("cart.phtml", vars, function( ) {});

  function mailCart( ) {
    ...
    $email = $_POST["email"];
    // Add mail to the profile - it's part of the Lazy Registration.
    $_SESSION['email'] = $email;
    ...
  }

  <div id="favoriteCategoryInfo">
    My&nbsp;Best&nbsp;Category: <select id="favoriteCategory"></select>
  </div>
  function onAllCategoriesResponse(xml, ignoredHeaders, ignoredContext) {
    ...
    categoryExplores[category] = 0;
    favoriteCategoryOption = document.createElement("option");
    ...
  }

  var isFavoriteCategoryAutomated = true;

  var categoryExplores = new Array( );
  ...

  function onExploreClicked(category) {
    ...
    if (isFavoriteCategoryAutomated) {
      categoryExplores[category]++;
      favoriteCategory = $("favoriteCategory").value;
      favoriteCategoryExplores = categoryExplores[favoriteCategory];
      if (categoryExplores[category] > favoriteCategoryExplores) {
        $("favoriteCategory").value = category;
      }
    }
  }

  $("favoriteCategory").onclick = function( ) {
    isFavoriteCategoryAutomated = false;
  }

  /*
    "start": When page is loaded
    "mustSendMail": When instructions and verify password field shown
    "mustVerifySecretNumber": When email sent and user must enter secret
      number inside email
    "verified": When user is successfully logged in
  */
  var registerState = "start";

  <div id="passwordInfo">
    <div class="userLabel">Password:</div>
    <input type="password"ael id="password" name="password"/>
  </div>

  <div id="verifyPasswordInfo">
    <div id="regHeader">Demo Registration</div>
    <div class="regInstructions">
      <strong>1.</strong> Please ensure email address is correct and
      password is <strong>not</strong> confidential, then verify your
      password below.
    </div>
    <div class="userLabel">Verify Password:</div>
    <input id="verifyPassword" type="password" name="verifyPassword" />
  </div>

  <input type="button" id="login" value="Login"></button>
  <input type="button" id="register" value="Register"></button>
  <input type="button" id="cancel" value="Cancel"></button>

  function onRegisterClicked( ) {
    if (registerState=="start") {
      registerState = "mustSendMail";
    } else if (registerState=="mustSendMail") {
      var submissionOK = sendMail( );
      if (submissionOK) {
        registerState = "mustVerifySecretNumber";
      } else {
        return;
      }
    } else if (registerState=="mustVerifySecretNumber") {
      verifySecretNumber( );
    }
    onRegistrationStateChanged( );
  }

  function onRegistrationStateChanged( ) {
    if (registerState=="start") {
      $("userForm").reset( );
      $("login").style.display = "inline";
      $("verifyPasswordInfo").style.display = "none";
      $("secretNumberInfo").style.display = "none";
      $("verifiedInfo").style.display="none";
      $("cancel").style.display = "none";
      $("register").value="Register";
    } else if (registerState=="mustSendMail") {
      ...
    } else if (registerState=="mustVerifySecretNumber") {
      ...
    } else if (registerState=="verified") {
      ...
  }

A good salesperson works the same way. While assumptions might be made based on a prospect’s behavior, the salesperson is always listening; her assumptions are always open to challenge. (Malcolm Gladwell depicted this pattern of successful salespeople in Blink [Little, Brown, 2005]).

The idea to handle Lazy Registration in this Ajaxian manner was originally proposed by Chris Were (“Tahpot”)(http://tahpot.blogspot.com/2005/06/lazy-registration-with-ajax.html).

When Stuart logs in to perform an online exam, he is presented with a standard username-password form. He enters his username and password, but a few seconds later, the form becomes red and shows an error message underneath. He switches off Caps Lock and re-enters his credentials. This time, they’re accepted. The form morphs to show his name and balance, and a new menu appears alongside it.

How can users present their credentials to the server?

Authenticate the user with an XMLHttpRequest Call instead of with a form-based submission, hashing in the browser for improved security. The essence of this pattern is a routine transformation from a submission-based approach to an Ajaxian, Web Remoting (Chapter 6) interaction style. But, in this pattern, I also discuss a very useful, though optional, technique that involves JavaScript-based hashing and is specific to the login process.

Conventional authentication usually requires the user and password to be uploaded as a standard form submission. The server usually converts the password to a hash (or “validator”) value and checks it against a stored hash value in the database. If they match, the user is in.

There are two problems with this approach. Firstly, flushing the page can be a distraction. It might not take long, but it will usually leave the user in a different context, which will discourage her from logging in. Even more troublesome is the stream of pages that ensue when a password must be recovered (e.g., having to provide your maiden name, last purchase date, and the name of your favorite pet canary), especially in this security-conscious era. The other problem relates to security of the transmission; if the password is uploaded as plain-text, there’s a risk of interception.

Direct Login addresses the page refresh problem and, optionally, the transmission problem too. In the simplest approach, you can implement Direct Login by simply sending the username and password in plain-text to the validation service using an XMLHttpRequest POST. Then, the server behaves similarly to a conventional server: it checks whether the password matches using a hash function and prepares for session management. XMLHttpRequest deals with cookies as it does regular form handling; this allows the session to be established in the same way as a conventional form submission. The only difference is the response content: instead of outputting a new HTML page, the server outputs an XML or plain-text acknowledgment, as well as any personalized content.

Passing the credentials over with XMLHttpRequest will improve usability, but as long as the password is being transferred in plain-text, there’s still a security threat. Ensuring the whole transaction runs overs HTTPS is always the best measure, as this generally makes the transaction secure from interception. However, many web sites don’t provide such a facility. Fortunately, there’s a compromise that can prevent transmission of plain-text passwords. The technique, strictly speaking, is orthogonal to the Direct Login approach; you could apply it to conventional submission-based authentication as well. But since it makes heavy use of browser-side processing, it fits nicely with Direct Login.

The trick is to perform hashing in the browser. JavaScript is fast enough to transform the password into a hash value (not to mention that it’s capable of doing it), and there are libraries available to implement popular algorithms.

The naïve way of hashing is to simply hash the password to match what should be in the database. But any interceptor would then be able to perform a replay attack—it could log in using the same details. So we need a more sophisticated approach, such as the following double hashing algorithm.

With double hashing, the server generates a one-time random seed (S). The browser then hashes twice: first, it hashes the password (P), hopefully to yield what is stored on the database (Ha; Hash attempt). But instead of sending that, the browser combines it with the one-time seed to form a new hash (Da; Double-hash attempt). This new hash is sent to the server. The server then pulls out the stored hash (H) from the database and combines it with the original one-time seed (S) to form a new hash, which must match the hash (Da) that was uploaded. This works because, in both cases, the initial password (P) has been passed through the same two hash functions. In the browser, the user’s attempt is passed through a fixed hash function, and the result is immediately passed to a new hash function with one-time seed. In the server, the database already holds the result of hashing the real password using the fixed hash function. As long as the server uses the same seed and algorithm as the browser used to perform a second hashing, the two results should match. The server is also responsible for clearing the one-time seed after a successful login; otherwise, an interceptor could log in later on by uploading the same data. Here’s a summary of the algorithm:

James Dam’s Ajax Login (http://www.jamesdam.com/ajax_login/login.html) presents a standard HTML form (Figure 17-8). Submission is disabled and handled instead by callback methods registered on initialization:

Figure 17-8. Direct login demo

  <form action="post" onsubmit="return false">
    <div id="login" class="login">
      <label for="username">Username: </label>
      <input name="username" id="username" size="20" type="text">
      <label for="password">Password: </label>
      <input name="password" id="password" size="20" type="password">
      <p id="message">Enter your username and password to log in.</p>
    </div>
    <label for="comments">Comments:</label>
    <textarea rows="6" cols="80" id="comments"></textarea>
  </form>

As soon as the user signals his intent to authenticate, which is indicated by form field focus, a random, one-time seed is retrieved from the server if there isn’t already one present. The response comes in two parts: an ID for the seed and the seed itself, both of which are saved as JavaScript variables. The server can later use the ID to retrieve the seed it sent:

  function getSeed( ) {
    ...
    if (!loggedIn && !hasSeed) {
        http.open('GET', LOGIN_PREFIX + 'task=getseed', true);
        http.onreadystatechange = handleHttpGetSeed;
        http.send(null);
    }
    ...
  }
  function handleHttpGetSeed( ) {
    ...
    if (http.readyState == NORMAL_STATE) {
        results = http.responseText.split('|');
        // id is the first element
        seed_id = results[0];
        // seed is the second element
        seed = results[1];
    }
    ...
  }

The seed is then used to hash the password upon submission. Notice that hex_md5( ), the double-hashing operation, is used twice.

  // validateLogin method: validates a login request
  function validateLogin( ) {
    ...
    // compute the hash of the password and the seed
    hash = hex_md5(hex_md5(password) + seed);

      // open the http connection
      http.open('GET',
        LOGIN_PREFIX +
        'task=checklogin&username='+username+'&id='+seed_id+'&hash=
'+hash, true);
      ...
  }

The server then validates by locating the seed that it previously sent out, and checking if the hash value matches a hash of the seed and the stored password hash. If it does, the server deletes the seed to ensure that it’s used only once:

  sql = 'SELECT * FROM seeds WHERE id=' . (int)$_GET['id'];
  ...
  if (md5($user_row['password'] . $seed_row['seed']) == $_GET['hash']) {
      echo('true|' .  $user_row['fullname'']);
      ...
      mysql_query('DELETE FROM s WHERE id=' . (int)$_GET['id']);
  }

After calling for validation, the browser receives a response and the form is morphed to show whether login was successful.

Reta is dismayed to learn that a malicious hacker managed to download a chunk of the company’s database containing personal details about all the customers in her store. Fortunately, she also learns that the pass-phrase she always entered was actually used to encrypt all that data, so the hacker won’t be able to make sense of any of the contents.

How can you mitigate the effects of unauthorized access to your application data?

Host sensitive data in encrypted form so that clients can only access and manipulate it by providing a pass-phrase that is never transmitted to the server. The server is limited to persisting and retrieving whatever encrypted data the browser sends it and never actually sees the sensitive data in its plain form. All encryption and decryption takes place inside the browser itself.

Just what does secure hosting have do with Ajax? The Ajaxian twist comes in the maintenance of the pass-phrase. You could use the browser-side encryption with a conventional application, but the pass-phrase would have to be entered upon each page refresh, since no JavaScript state survives a reload. With page refreshes occurring every few seconds, the pass-phrase is completely unusable. However, using Ajax to avoid page refresh means you can retain all session state in the browser, so the pass-phrase only needs to be entered at the start. After being entered, it can be retained as a standard JavaScript string and will disappear from the browser when the user quits the browser or visits another site. Suddenly, Host-Proof Hosting becomes usable.

Incidentally, don’t take this pattern to be a new “Ajax-HTTPS” protocol. The issue here is how the data is actually stored, not how it’s transmitted. In theory, the data itself need not travel over a secure connection because it’s already encrypted. In practice, a secure connection might be worthwhile in order to reduce some of the vulnerabilities described later in this section.

Before you rush off to upload all your trade secrets to Shonky Hosting Inc., you should be aware that this idea isn’t foolproof. On the one hand, the host is assumed to be inherently untrustworthy. But on the other hand, the script for the browser application is held right there on the server, and the browser runs whatever scripts come down from that URL. This leaves open the possibility that the host will tamper—to evil ends—with either the code itself or the outgoing HTML and JavaScript.

What if a rogue administrator from the hosting company decided to quietly add a small monitoring function to a JavaScript file and append its execution to a window.onload function. Then, the evil monitoring function could be made to run once a minute within the browser. It might, for instance, serialize the entire DOM and upload a summary back to the server with Web Remoting (Chapter 6), where more malicious code would log it somewhere convenient. A third-party hacker sitting between the browser and the server could also inject a script and could upload data to a remote site with one of several established techniques—for instance, by exporting browser data as CGI variables on the source URL of an external image under the hacker’s control. In both scenarios, the application can continue as normal, and the poor user is none the wiser.

The threat of script injection certainly weakens the claim for this pattern, but it doesn’t invalidate it altogether. While script injection is theoretically possible, it does require some skill on the host’s part and is also detectable if you know what the code should and should not be doing. If you happened to discover that your application is uploading DOM details every sixty seconds (using a tool similar to those described in Traffic Sniffing [Chapter 18]), there’s a good chance that something’s blatantly wrong.

For practical purposes, also consider what happens if a hacker gains unauthorized access for a short time. She might well grab as much data as possible, but the data will be safely encrypted. In the unlikely event such a hacker was sophisticated enough to use script injection, she would only be able to gain pass-phrases of users who happen to be logged in during the time the server is under her control.

So pragmatic considerations suggest that the technique is safer than hosting the data in plain form, though it’s by no means perfect. But is it so much safer as to warrant the extra performance overhead and coding effort and the constraint of zero page refreshes? That’s a decision you’ll need to make on a case-by-case basis, bearing in mind the critical nature of the data—the likelihood of the various types of attack.

In theory, there’s an even stronger claim in favor of this approach. It might be possible to develop a general-purpose plugin to detect script injection. For a given application, such a plugin would have access to a certified copy of the source code. Then, it could monitor traffic and caution you about any unexpected activity. If such a plugin could be developed, the only way for script injection to succeed would be a conspiracy between the host, the code certifier, and the plugin manufacturer.

There are no public real-world examples to my knowledge. One precedent is Hushmail (http://hushmail.com), which uses a Java applet to allow access to email encrypted on the server.

Richard Schwartz provides a proof-of-concept demo (http://smokey.rhs.com/web/test/AjaxCryptoConceptProof.nsf/blowfish?OpenPage)(Figure 17-10). For encryption, it delegates to a JavaScript Blowfish library. The application accepts a pass-phrase, a message key, and some message content. It then encrypts the message and uploads it. It also uploads the key, along with an encrypted version of the key, which can be used later to check that the user has the correct pass-phrase. The application then shows that the server is holding only the encrypted content and the key. You can then pull the encrypted content back down and decrypt it with the original pass-phrase.

Figure 17-10. Host-Proof Hosting

The application itself is quite simple: it manipulates the “display” style settings of a series of forms in order to show or hide them. Thus, the user’s pass-phrase remains in the pass-phrase input field at all times. This is the important thing about the demo; there’s no form submission, so the pass-phrase needs to be entered only once.

When the application is ready to upload the encrypted data, it sets up the global variables required by the Blowfish library (ideally, the library would accept these as parameters). encodetext( ) is called (with “2” to specify the Blowfish algorithm), and it outputs the encrypted version in the form of a global variable:

  saveCryptoText( ) {
    ...
    inpdata=window.document.inputForm.plaintextInput.value;
    passwd=window.document.inputForm.password.value;
    // invoke blowfish
    encodetext(2);
    data = data + "&check=" + outdata ;
    ...
  }

The encrypted key is also attached:

  inpdata=window.document.inputForm.check.value;
  encodetext(2);
  data = data + "&check=" + outdata ;

The data can now be sent to the server:^[*]

  url = "http://smokey.rhs.com/web/test/AjaxCryptoConceptProof.nsf/SaveBlowfishDoc
?OpenAgent"
+ data
  httpPost(url)

Later on, the application provides a list of message keys that have been sent to the server. When the user chooses one, the application requests an XML document from the server containing the message and key details (in practice, the message key could be verified before the body is downloaded). It first performs a check that the key is valid for this pass-phrase, then decrypts the message itself. Finally, a DOM object is morphed to display the decrypted text:

  inpdata = "";
  inpdata = getElementText(valuenode);
  outdata = ""
  decodetext(2);
  ...
  window.document.all.decryptedText.innerHTML = stripNulls(outdata);

Caesar wonders whether he can entrust his aide with the top-secret recipe for victory wine. Fortunately, he’s a pioneer of cryptography, so he just hands over the recipe in encrypted form.

Check out Richard Schwartz’s blog entries:

Richard Schwartz’s blog entries provided the idea for this pattern, and its name is attributed to Richard Schwartz, Michael Griffes, and their colleagues at eVelocity. I am also grateful to others who have commented on the approach, notably Alex Russell, who has cautioned on the vulnerabilities of this approach, such as script injection.

Tracy was so keen on leaving the office Friday afternoon that she forgot to shut down the market news web site. Fortunately, the web site monitors mouse movements, meaning that if she doesn’t interact with the page for an hour, it will suspend itself, saving a lot of wasted refreshes. On Monday morning, Tracy walks in and sees a screensaver-like animation in the browser, with a message indicating that updates have ceased. She clicks a mouse button and sees the screen update with the latest prices.

How can you tell whether the user is still working with the application?

Have the browser Timeout the user after a period of inactivity and, optionally, inform the server. After a period of inactivity, the application is either suspended, requiring the user to manually resume it or shut down, requiring the user to restart.

This pattern raises the whole question of sessions in Ajax. Conventional applications usually have server-side session objects which represent the user’s current session. Typically, this means short-lived information such as shopping cart contents or recently viewed items.

In Ajax, server-side sessions are not so useful. In fact, if you rely solely on RESTful Services, you may not need those session objects at all. In browser-centric Ajax Apps, the browser is a full-fledged application with all of the session state held within. So the browser state is the session. The server-side session, if used at all, is only relevant to authentication and has no impact on the response to any particular query. See RESTful Service (Chapter 9) for more details.

How is all of this relevant to Timeout? Well, consider this familiar nightmare scenario:

The user opens up a form, spends two hours populating it while researching the answers, and clicks submit. The browser then responds with “Your session has expired” and adds insult to injury by presenting a new blank form.

Stories like this are all too common because server-side session Timeouts ignore what’s happening in the browser. If the user hasn’t submitted a form in, say, 30 minutes, the session times out and all the data is lost. That’s a problem if the user has been actively working on the browser side. With an Ajax App, the server has a better chance of staying in sync with the browser thanks to XMLHttpRequest Calls (Chapter 6). In most environments, the server-side session will be automatically refreshed when an XMLHttpRequest Call comes in. However, this is not optimal either because the server still doesn’t know why browser calls are occurring. For applications using Periodic Refresh (Chapter 10), for example, a server-side session will stay alive indefinitely even if the user has left the building.

By relying instead on browser-based Timeout detection, you can be more intelligent about how Timeouts will occur. Browser-based Timeout detection is based on Scheduling (Chapter 7). A timer is established to count down to Timeout state. Each significant activity cancels the timer and starts a new one in its place.

What activities are significant enough to restart the timer? Mouse movement is one candidate. You can monitor each mouse movement on the page; one of the following Code Refactoring illustrations below does exactly that. Mouse movements are a very broad indicator, and you might be concerned about “false positives”: These may be suggestions that a user is still working with an application when they’re in fact not, e.g., they just happened to move the mouse across the browser window while cycling through each open window. You’ll also get some “false negatives”: A user working only with the keyboard is liable to be timed out. If you’d prefer to keep the session going only if the user is actively changing data, you can instead catch events such as button clicks and keypresses within input fields.

Sudden Timeouts can be frustrating for users, so consider these feedback measures:

Once you’ve detected that the user is inactive, what do you do? Timeout can be used in several ways:

So informing the server of a Timeout is a good thing. But there’s still a small problem with this approach: What if the user quits the browser or moves away to another site? Then a Timeout will never occur and the server will blissfully continue assuming that the user is logged in for all eternity. To alleviate this problem, have the server refresh the user’s record upon each incoming request that suggests user activity. The rest remains, however, of inadvertently timing out a user who is performing browser-only activity. So what we need is a way for the browser to keep telling the server that the user is still active, explicitly noting that a Timeout hasn’t actually occurred. That’s exactly what the Heartbeat pattern is about—see later in this chapter for more details.

Many conventional web sites have a session Timeout feature, though it’s implemented server side rather than the way I’ve described in this section.

Lace Chat

Brett Stimmerman’s Lace Chat (http://www.socket7.net/lace/) is an Ajax chat app. As such, it requires a Periodic Refresh in order to keep showing new messages, a serious bandwidth concern if the user is no longer interested in the conversation. So after some idle time, a dialog box appears indicating that Lace has stopped; it includes a button allowing the user to resume (Figure 17-12). Lace also has a Status Area (Chapter 15) that always shows whether the application is running—i.e., whether the server is being polled. In fact, you can pause and resume it manually too. The Timeout mechanism hooks into this state by forcing the application to pause upon Timeout.

Figure 17-12. Lace Chat Timeout

If a car engine remains idle long enough, you’re probably going to assume that it’s dead and give up trying to start it. To keep going would only be a waste of energy.

For auditing purposes, Frank must run the factory decision support system all day long, so the server needs to ensure that it’s always alive in the browser. But requests won’t come in very often because it’s a fat client, with the business logic in JavaScript. To ensure that the server keeps getting requests, the browser explicitly uploads a Heartbeat message every 10 minutes.

How do you know the user still has an application in the browser and is actively working with it?

Have the browser periodically upload Heartbeat messages to indicate that the application is still loaded in the browser and the user is still active. The server keeps track of each user’s “last Heartbeat.” If the Heartbeat interval is 10 minutes and the user’s last Heartbeat was longer than 10 minutes ago, the server knows that the user is no longer active. The objective is to help the server track which users are active. Session tracking isn’t essential in Ajax Apps, where it’s possible to hold all session data as JavaScript state, but, as described in the Solution of Timeout, there are still reasons to do it.

Heartbeat messages are uploaded to a special "Heartbeat service" using XMLHttpRequest Calls. Because they affect server state, they should be POSTed in. The Heartbeat service will update the user’s last Heartbeat record, but how does it associate a Heartbeat message with a user? Heartbeat relies on some form of session management. One approach is to use cookies, either directly or via a cookie-based session framework. However, if you do that, the conversation will be stateful, thus violating a fundamental RESTful Service principle. A cleaner approach is to explicitly include the session ID in the Heartbeat body. Note that you shouldn’t just upload the user ID, as others could easily fake the user ID.

Heartbeat is closely related to Timeout, but they work in different ways. You can use either independently, but Heartbeat works best as a supplement to Timeout. The point of Timeout is to stop the browser application after an idle period for security and bandwidth reduction. Notifying the server of Timeout events yields extra benefits, but it only works if the application is still sitting in the browser and working fine. That’s why we use Heartbeat messages, which are, in a sense, the inverse of Timeouts, and therefore a good supplement. Whereas a Timeout message has the browser announce when a timeout has occurred (Figure 17-15), a Heartbeat message has it continuously announced that a Timeout hasn’t occurred (Figure 17-16). As soon as the server detects a missed Heartbeat, it can assume the application is no longer running.

Figure 17-15. Heartbeat sequence

Figure 17-16. Timeout sequence

As an alternative to Heartbeat, you can maintain a “Last Seen” or “Last Request” field to track the last time the user issued a request. Thus, not only Heartbeat messages but any other messages will refresh the user’s record. The Heartbeat is just a backup. Using these fields might paint a more meaningful picture if you’re showing the timestamp to other users or feeding it into analysis.

This pattern is purely speculative in the context of Ajax applications. However, Heartbeats are commonplace in enterprise messaging systems, where they are used to monitor the status of components throughout a network.

As this pattern is speculative, there are no real-world examples at this time.

The Timeout pattern (see earlier in this chapter) refactored the wiki to produce the Timeout Wiki Demo (http://ajaxify.com/run/wiki/timeout), and two further refactorings from there. The present refactoring (http://ajaxify.com/run/wiki/timeout/heartbeat), as seen in Figure 17-17, creates a third version of the basic Timeout demo, introducing a Heartbeat. Note that Heartbeat can work independently of Timeout but works better in tandem, as this pattern demonstrates.

Figure 17-17. Showing user status via Heartbeat

To illustrate Heartbeat, I’ll show one of its main applications—an application that lets users see who else is “currently online”, i.e., who else has a recent Heartbeat registered. Thus, each user is assigned a random ID, and a Heartbeat mechanism is used to maintain the “Currently Online” list.

But first, let’s look at the Heartbeat mechanism. Server side, the Author class contains a lastRequest property:

  class Author {
    private $id;
    ...
    private $lastRequest;
    ...
  }

The Heartbeat service accepts a message with an author ID and updates the user’s lastRequest. Note that a production system should accept a session ID rather than a user ID. The service extracts the author from the database and updates its lastRequest. If the author does not yet exist, a new record is created with lastRequest set to the present. Finally, the record is persisted:

  if (isset($_POST['renew']) && $_POST['renew']=="true") {
    $authorId = $_POST['author'];
    $now = time( );
    $author = $authorDAO->fetch($authorId);
    logInfo("Got author record for $authorId");
    if ($author) {
      logInfo("Updating timestamp for user $authorId");
      $author->setLastRequest($now);
    } else {
      logInfo("Adding author $authorId");
      $author = new Author($authorId, $now, $now);
    }
    $authorDAO->persist($author);
  }

A periodic loop is set up to access the Heartbeat service. Because the Heartbeat call is "fire-and-forget,” an empty callback function is used:

  window.onload = function( ) {
    ...
    heartbeatTimer = setInterval(sendHeartbeat, HEARTBEAT_PERIOD);
    ...
  }
  function sendHeartbeat( ) {
    vars = {
      renew: true,
      author: authorId
    };
    ajaxCaller.postForPlainText("session.phtml", vars, function( ) {});
  }

And that’s the basic Heartbeat pattern. But there’s a bit more to do because we’re integrating it into Timeout. We want to stop sending Heartbeats when a timeout has occurred in the browser. In the preceding code, we created a variable, heartbeatTimer, to track the periodic Heartbeat calls. Since we have a handle on the periodic process, we are able to cancel it upon timeout:

  function onTimeout( ) {
    ...
    clearInterval(heartbeatTimer);
    ...
  }

The other feature here is the list of online users, which illustrates one way to use the Heartbeat data. session.phtml exposes an XML list of currently online users (http://ajaxify.com/run/wiki/timeout/heartbeat/session.phtml?current). The fetchRecentlyActive method accepts a parameter indicating just how recently active the records should be. In this case, we ask for users with a request in the past 10 seconds:

  if ($_GET="current") {
    header("Content-type: text/xml");
    echo "<authors>";
    foreach ($authorDAO->fetchRecentlyActive(10) as $author) {
      echo "<author>{$author->getId( )}</author>";
    }
  echo "</authors>";

In the browser, there’s a div to contain the list:

    <h1>Who's Online?</h1>
    <div id="currentlyOnline"></div>

A timer is established to perform a Periodic Refresh on the current data. Every few seconds, the XML is requested and the callback function transforms it into HTML for display:

  currentlyOnlineTimer = setInterval(updateCurrentlyOnline, CURRENTLY_ONLINE_PERIOD);

  function updateCurrentlyOnline( ) {
    ajaxCaller.getXML("session.phtml?current", function(xml) {
      $("currentlyOnline").innerHTML = "<ul>";
      var authors = xml.getElementsByTagName("author");
      for (var i=0; i<authors.length; i++) {
        var authorName = authors[i].firstChild.nodeValue;
        $("currentlyOnline").innerHTML += "<li> " + authorName + "</li>";
      }
      $("currentlyOnline").innerHTML += "</ul>";
    });
  }

As with the Heartbeat timer, the “currently online” timer is cancelled upon timeout, so no more Periodic Refreshes will occur:

  function onTimeout( ) {
    ...
    clearInterval(currentlyOnlineTimer);
    ...
  }

The name "Heartbeat" is, of course, taken from a metaphor with the biological heart.

Go to http://www.mindspring.com/~mgrand/pattern_synopses3.htm#Heartbeat for a brief summary of Enterprise Java Heartbeat pattern. See Mark Grand’s “Java Enterprise Design Patterns” for the full pattern.

Sasha is exploring a recent news event by browsing a map of the area. There’s a Unique URL for each location, so she’s able to link to it in her blog and add it to her social bookmarking account.

How can you assign distinct URLs to different parts of your application?

Provide Unique URLs for significant application states. Each time a significant state change occurs—e.g., the user opens a new product in an e-commerce system—the application’s URL changes accordingly. The objective is straightforward, but as discussed later in this section, the implementation requires a few unusual tricks. This Solution is fairly complex, because it delves into the details of building Unique URLs. Increasingly, though, reusable libraries will save you the effort, so be sure to check out what’s available before directly applying any of the techniques here. The Real-World Examples identifies a couple of resources, and there will doubtless be others by the time you read this.

In Ajax, most server communication occurs with XMLHttpRequest. Since XMLHttpRequest Calls don’t affect the page URL, the URL is, by default, permanently stuck on the same URL that was used to launch the Ajax App, no matter how many transfers occur. The only option you have to manipulate the URL is to use JavaScript. And, in fact, it’s very easy to do that with the window.location.href property:

  window.location.href = newURL; // Caution - Read on before using this.

Very easy, but there’s one big problem: under normal circumstances, the browser will automatically clear the page and load the new URL, which sort of defeats the purpose of using Ajax in the first place. Fortunately, there’s a cunning workaround you can use. It was originally conceived in the Flash world and has more recently been translated to an Ajax context. Mike Stenhouse’s demo and article (http://www.contentwithstyle.co.uk/Articles/38/fixing-the-back-button-and-enabling-bookmarking-for-ajax-apps) provides a good summary of the approach, and the Solution here is based heavily on his work.

The cunning workaround relies on fragment identifiers —those optional components of URLs that follow the hash character (#). In http://ajaxpatterns.org/Main_Page#Background, for example, the fragment identifier is Background. The point of fragment identifiers has traditionally been to get browsers scrolling to different points on a page, which is why they are sometimes called “in-page links” or “named links.” If you’re looking at the Table of Contents on AjaxPatterns.org (http://ajaxpatterns.org#toc) and you click on the Background link—http://ajaxpatterns.org/#Background—the address bar will update and the browser will scroll to the Background section. Here’s the point: no reload actually occurs. And yet, the browser behaves as if you clicked on a standard link: the URL in the address bar changes and the Back button sends you back from whence you came (at least for some browsers; more on portability later).

You can probably see where this is going. We want Ajax Apps to change the page URL without forcing a reload, and it turns out that changes to fragment identifiers do exactly that. The solution, then, is for our script to change only the fragment component. We could do this by munging the window.location.href property, but there’s actually a more direct route: window.location.hash. So when a state change is significant enough, just adjust the URL property:

  window.location.hash = summary;

Throughout this pattern, summary refers to a string representation of the current browser state—at least that portion of the state that’s worth keeping. For example, imagine that you have an Ajax interface containing several tabs: Books, Songs, and Movies. You want to assign a Unique URL to each tab, so the summary will be the name of any of these tabs. If there were other significant variables, they would be integrated into the summary string. To keep the fragment synchronized with the current state, you need to identify when state changes occur and update the fragment accordingly. In the following tab example, you can do this by making the onclick handler set the hash property in addition to changing the actual content:

  songTab.onclick = function( ) {
    window.location.hash = "songs".
    // ... now open up the tab
  }

So now the URL changes from http://ajax.shop/ to http://ajax.shop/#songs. That was easy enough, but what happens when you mail the URL to a friend? That friend’s browser will open up http://ajax.shop and assume songs is an innocent, old-fashioned, in-page link. It will try to scroll to a songs element and won’t find one, but it won’t complain about it either; it will simply show the main page as before. We’ve made the URL change after a state change, but so far we haven’t built in any logic to make the state change after a URL change.

State and URL need to be in sync. If one changes, the other must change as well. Effectively, there’s a mini-protocol specific to your application that defines how state and URL map to each other. In the preceding example, the protocol says “The fragment always represents the currently open tab.” Setting the fragment is one side of the protocol; the other side is reading it. After your friend opens http://ajax.shop/#songs, and after his browser unsuccessfully tries to scroll to the nonexistent songs element, we need to read the fragment and update the interface accordingly:

  window.onload = function( ) {
    initializeStateFromURL( );
  }
  initializeStateFromURL( ) {
    var initialTab = window.location.hash;
    openTab(initialTab);
  }

Good. Now you can mail the link, bookmark it, and link to it from another page. In some browsers at least, it will also go into your history, which means the Back button will work as expected. For a simple implementation, that’s good enough.

However, the solution still isn’t ideal, because what will happen if the application is already loaded? The most likely situations occur when clicking the Back button to revert to a previous state and when retrieving a bookmark while already on that application. In both cases, the URL will change in the address bar, but the application will do absolutely nothing!

Remember, we’re making the application manipulate fragments precisely because the browser doesn’t reload the page when they change. When it comes to Back buttons and bookmarks and the like, we’re talking about changes that are initiated by the user, yet the browser treats these with exactly the same inaction as when our script initiates them. So our onload won’t be called and the application won’t be affected in anyway.

To make Unique URLs work properly, we have to resort to something of a cheap trick: continuously polling the fragment property. Whenever the fragment happens to change, the browser script will notice a short time later and update state accordingly. In this example, we could schedule a check every second using setInterval( ):

  window.onload = function( ) {
    initializeStateFromURL( );
    setInterval(initializeStateFromURL, 1000);
  }

In fact, we should only perform an action if the hash has recently changed, so we perform a check in initializeStateFromURL( ) to see if the hash has recently changed:

  var recentHash = "";
  function pollHash( ) {
    if (window.location.hash==recentHash) {
      return; // Nothing has changed since last polled.
    }
    recentHash = window.location.hash;
    // URL has changed. Update the UI accordingly.
    openTab(initialTab);
  }

The polling adds to performance overhead, but we now have a URL setup that feels like the real thing.

One last thing on this technique. I mentioned earlier that you can set window.location.hash manually after state changes. Now that we’ve considered the polling technique, you can see that it’s also possible to do the reverse: change the URL in response to user events, then let the polling mechanism pick it up and change state accordingly. That adds a delay, but one big benefit is that you can easily add a hyperlink on the page to affect the system state.

Here’s a quick summary of the technique just described, which I’ll call the “page-URL” technique:

But wait, there’s more! I mentioned earlier that each URL goes into history, but only “for some browsers.” IE is one of the outliers here, so the above technique will fail IE’s history mechanism, and the Back button won’t work as expected. The good news is there’s a workaround for it. The bad news is that it’s a different technique and won’t work properly on Firefox. So if you can live with everything working but IE history, go with the hash-rewrite technique. Otherwise, read on . . . .

The IE-specific solution relies on IFrames and on their source URLs, so I’ll call it the “IFrame-URL” technique. While IE won’t consider a fragment change historically significant, it will recognize changes to the source URL of an embedded IFrame. Each time you change the source URL of an IFrame, the entire page will be added to the history. Think of each page in the history as not just the main URL but the combination of main URL and URLs of any IFrames. Its the combination that must vary in order to create a new history entry.

So to get IE history working, we can embed a dummy IFrame and keep changing its source URL to reflect the current state. When the user clicks Back, the source will change to its previous state. In theory, the browser could keep polling the IFrame’s source URL to find out when it’s updated, but, for some reason, reverted IFrames don’t seem to provide the correct source URL. So a workaround is to make the actual IFrame body contain the summary of browser state, i.e., the string which was in the fragment identifier for the previous algorithm. Then, the polling mechanism looks at the IFrame body rather than its source URL.

For example, if the user clicks on the Songs tab, the IFrame source will change to dummy.phtml?summary=Songs. The body of dummy.phtml will be made (by the server) to contain this argument verbatim, i.e., the body of the IFrame will be “Songs.” When the user later clicks somewhere else and then clicks the Back button, the browser will reset the IFrame’s URL to dummy.phtml?summary=Songs and the body will once again be “Songs.” The polling mechanism will soon detect the change and open the Songs tab.

Now we have history, but we haven’t done anything about the URLs. So when the user clicks on the Songs tab, we not only change the IFrame source but also the main document URL using a fragment identifier like before. We also have to make sure that the polling mechanism looks at the URL as well as the IFrame source. If either has changed since last poll, the application state must be updated. In addition, the one that hasn’t changed must also be updated, i.e., if the IFrame source has changed, the URL must be updated, and vice versa.

Here’s a quick summary of the IFrame-URL technique:

Note that this won’t work on Firefox, because Firefox will include URL changes as well as IFrame changes in the history. Thus, each state change will actually add two entries to Firefox’s history. As mentioned earlier, you’ll probably need to implement both algorithms in order to fully support both browsers. A modified version of the second technique will do it as well. Also, be careful when using both approaches because there’s a risk your polling mechanism will revert states too eagerly. If the user has begun changing a value and the polling mechanism kicks in, it’s possible that the value will change back. If you separate input and output carefully enough, that can be avoided. A workaround is to suspend the polling mechanism at certain times. None of this is ideal, but a Unique URL mechanism is worth fighting for.

As a variant on changing the IFrame’s source, Brad Neuberg—based on a hack by Danny Goodman—has pointed out that browsers will retain form field data (http://codinginparadise.org/weblog/2005/08/ajax-tutorial-saving-session-across.html). Instead of changing the IFrame source, you set the value of a hidden text field in the IFrame. That will solve the history problem, but you’ll still need to do something about the main page URL to give the page a Unique URL.

To summarize all of this, here are all the things we’d want from Unique URLs and an explanation of how each can be achieved in Ajax.

URL handling is one of the greatest complaints about Ajax, with myths abounding about how “Ajax breaks the Back button” and how “You can’t bookmark Ajax Apps.” That an Ajax App can include full page refreshes is enough to debunk these myths. But this pattern shows that even without page refreshes, Unique URLs are still do-able, even if somewhat complicated. This pattern identifies some of the current thinking on Unique URLs, but the problem has not yet been solved in a satisfactory manner. The best advice is to watch for new ideas and delegate to a good library where applicable.

This example refactors the Basic Sum Demo (http://ajaxify.com/run/sum) using both the Page-URL and IFrame-URL techniques. There are actually four implementations here:

  function submitSum( ) {
    definedFigures = {
      figure1: $("figure1").value,
      figure2: $("figure2").value,
      figure3: $("figure3").value
    }
    hash =     "#" + definedFigures.figure1 + "," + definedFigures.figure2
              + "," +definedFigures.figure3;
    window.location.hash = hash;
    ajaxCaller.get("sum.phtml", definedFigures, onSumResponse, false, null);
  }

  function setInitialFigures( ) {
    figuresRE = /#([-]*[0-9]*),([-]*[0-9]*),([-]*[0-9]*)/;
    figuresSpec = window.location.hash;
    if (!figuresRE.test(figuresSpec)) {
      return; // ignore url if invalid
    }
    $("figure1").value = figuresSpec.replace(figuresRE, "$1");
    $("figure2").value = figuresSpec.replace(figuresRE, "$2");
    $("figure3").value = figuresSpec.replace(figuresRE, "$3");
    submitSum( );
  }

  window.onload = function( ) {
    ...
    setInterval(pollHash, 1000);
  }

  var recentHash = "";
  function pollHash( ) {
    if (window.location.hash==recentHash) {
      return; // Nothing has changed since last polled.
    }
    recentHash = window.location.hash;
    // ... Same code as in previous setInitialFigures( ) function ...
  }

  <iframe id='iFrame' name='iFrame' src='summary.phtml?summary='></iframe>

  function submitSum( ) {
    ...
    $("iFrame").src = "summary.phtml?summary=" + summary;
  }

  window.onload = function( ) {
    ...
    setInterval(pollSummary, 1000);
  }
  function pollSummary( ) {
    summary = window["iFrame"].document.body.innerHTML;
    if (summary==recentSummary) {
      return; // Nothing has changed since last polled.
    }
    recentSummary = summary;
    // Set figures according to summary string and call submitSum( )
    // to set the result ...
  }

  function getURLSummary( ) {
    var url = window.location.href;
    return URL_RE.test(url) ? url.replace(/.*#(.*)/, "$1") : "";
  }
  function getIFrameSummary( ) {
    return util.trim(window["iFrame"].document.body.innerHTML);
  }
  function getInputsSummary( ) {
    return $("figure1").value +","+ $("figure2").value +","+ $("figure3").value;
  }
  function setURL(summaryString) {
    window.location.hash = "#" + summaryString;
    document.title = "Unique URL Sum: " + summaryString;
  }
  function setIFrame(summaryString) {
    $("iFrame").src = "summary.phtml?summary=" + summaryString;
  }

function updateSumResult( ) {

  definedFigures = {
    figure1: $("figure1").value,
    figure2: $("figure2").value,
    figure3: $("figure3").value
  }
  ajaxCaller.get("sum.phtml", definedFigures, onSumResponse, false, null);

}

function onSumResponse(text, headers, callingContext) {
  self.$("sum").innerHTML = text;
}

  window.onload = function( ) {
    self.$("addButton").onclick = function( ) {
      onSubmitted( );
    }
    ...
  }
  function onSubmitted( ) {
    var inputsSummary = getInputsSummary( );
    setIFrame(inputsSummary);
    setURL(inputsSummary);
    updateSumResult( );
  }

  window.onload = function( ) {
    ...
    pollTimer = setInterval(pollSummary, POLL_INTERVAL);
  }
  function pollSummary( ) {
    var iframeSummary = getIFrameSummary( );
    var urlSummary = getURLSummary( );
    var inputsSummary = getInputsSummary( );
    if (urlSummary != inputsSummary) { // URL changed, e.g., bookmark
      setInputs(urlSummary);
      setIFrame(urlSummary);
      updateSumResult( );
    } else if (iframeSummary != inputsSummary) { //IFrame changed,e.g., Back button
      setInputs(iframeSummary);
      setURL(iframeSummary);
      updateSumResult( );
    }
  }

  window.onload = function( ) {
    ...
    // Prevent iframe from triggering URL change during editing. The URL
    // change would in turn trigger changing of the values currently under edit,
    // which is why it needs to be stopped.
    for (var i=1; i<=3; i++) {
      $("figure"+i).onfocus = function( ) {
        clearInterval(pollTimer);
      }
      $("figure"+i).onblur  = function( ) {
        pollTimer = setInterval(pollSummary, POLL_INTERVAL);
      }
    }
    ...
  }

The Solution is based heavily on Mike Stenhouse’s article (http://www.contentwithstyle.co.uk/Articles/38/fixing-the-back-button-and-enabling-bookmarking-for-ajax-apps).