Ultimately I think much of my concern will be moot because SSL will be turned on at all times. However, I do love academic discussions. As for #1, let's say we refresh the page or the user closes the browser and comes back. Either of those events requires the application to initializes its static variable for the SID FROM the cookie, yes? This is an occasion where I do not see a good solution for improving upon an obvious security flaw in favor of usability.
As for #2, can Tomcat not be configured to store state (as long as it is serializable) in a persistent store, such as a file system or database? I am incredibly familiar with ASP.NET and web application design in general, but am using GWT to create a cross-platform web- app, so please pardon the newbish questions WRT Tomcat as an app-tier. Doing some digging in my JSP book, it does appear that Tomcat can be configured to use a shared state server for the purposes of clustering web servers. In this case, doesn't #2 go back to "Let Tomcat handle it"? Thank you again! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---