The solution of Ajax request jump invalid and its security hidden trouble

Sometimes, a website needs to jump to different pages depending on the type of user (permission) when logging in.

With Ajax requests, you can avoid frequent page jumps and effectively improve the user experience.

Ajax requests the main code:

Regular expression Validation:

If after a series of verification on the backend, after successful login, redirect to the way such as:response.sendredirect ("/easyparttimejob/view/html/student.html"), The page does not jump to the page at this point, but the response has reached the page:

reason : (Excerpt from Network)

Ajax only uses the script to access the corresponding URL to get the data, and can not do other than to get the return data of other actions. Therefore, the browser does not initiate redirection.
1) Normal HTTP URL requests, only browser and server two participants. The browser initiates an HTTP request, and after the server-side processing initiates a redirect, the browser obtains the redirect address from the response and initiates another HTTP URL request. That is, the browser responds to the content in response (such as redirection), which is what the browser's functionality determines.
2) Ajax requests, there are three participants, namely AJAX, client, server, Ajax is between the client and the server between the two. The process is when the client initiates an AJAX request, and after the server-side processing, if a redirect is initiated, then what does Ajax do? It only gets the data that was requested to be returned, and any other actions are not done, Ajax does so (Ajax is the way it is, and the AJAX framework source code is written).
In other words, after the introduction of AJAX, Ajax plug-in between the browser and the server, the server to the browser's response was blocked by Ajax, but Ajax itself does nothing, and do not convey.

solution : (Backend return user ID, complete jump in browser):

This can achieve the desired effect, but there are security risks:

Normally, the server returns such data, and the browser jumps based on that field

Intercept response with fiddler

Intercepts the response header before the response arrives in the browser, modifies the field manager, and then releases the response.

The result should jump to the student homepage to jump to the Administrator homepage.

So I still select the form to log in when I log in, and I'll make a prompt when the password is wrong:

Or still in the browser to jump, but before each operation to verify the user's permissions ( ′?_? ')

Speak your solution!

The solution of Ajax request jump invalid and its security hidden trouble