Security Interceptor Redirect within AJAX based application

You could have a ‘pre-ajax’ call that hits a white-listed page first that returns the status of the session. If they have timed out then you don’t run the second intended ajax call and redirect the user the same as the security interceptor would. It will slow things down a tiny bit making two ajax calls, but if the pre-ajax session status call is just returns a simple Boolean then you probably won’t notice the difference.

The other option is basically what Luis is suggesting, which is to white-list all of your ajax call functions and handle the security check manually in each function, but you could write one function that would handle your ajax security.

On long form pages where the user might be there longer than the session length, I have a timeout warning that runs in the background. If the session length is 15 minutes, I warn them every 10 minutes that they are about to time out. If they click to continue then I hit a page in the background, checking their session status and if they are still logged in, extending their their session. Then I restart the timer. I also reset the timer any time another ajax call is made from the same page, since that also extends their session.