Differentiate between guest session and expired session?


#1

So my Angular app was running smoothly for a while, until I enabled guest access to certain services. Then I noticed that when my logged-in user’s session expired, the Angular client which performed API requests would now get 403 Forbidden responses instead of 401 Not Authorized. This is because the DSP auto-downgraded my logged-in user to a guest user, tried to perform the request, and then returned a 403.

Now I am unable to differentiate between a genuine 403 Forbidden (when the user’s session IS valid, but is trying to do something forbidden) and a 401 (when the user’s session is simply expired). It is important for me to distinguish between the two responses, because the former indicates a bug or hacking behaviour, while the latter is mundane. It is not useful to get a 403 for both cases.

Is there a way to perform requests while disabling auto-downgrade to the guest role? Or maybe a way to test if the current session is a guest session? Or maybe a way to find out if the current session is merely expired, not a guest session?


#2

You can test for guest session by doing a GET on /rest/user/session.

It will return empty string for session_id if you are in a guest session.