Yeah, I guess I shouldn't have made that assumption implicit. My webapps are never trusted. Any validation I do on input is usually duplicated on the server side (sometimes like password confirmation there's no need). Actually more is usually done on the server as well to make sure we're not getting malformed input like null pointers & whatnot.
Every RPC call, except for the login, is always authenticated to make sure it's a valid session. Also, I keep the server stateless which I find tends to make things easier to manage on the server. State across communication I find tends to be related to maintaining the UI & the server can just perform stateless actions that retrieve data and/or persist it without knowing what the user has done previously. The only server state is the session management which I persist in a database thus the servlet itself is stateless. On Thu, Apr 16, 2009 at 12:42 PM, Jason Essington <[email protected]> wrote: > > Right, a client side timer is a nice user convenience, but don't make > the mistake of depending on the client side code to perform the > logout, you will always need a server side solution as well. > > The client must always be considered un-trustworthy and unreliable. So > depending solely upon the client to log out will undoubtably leave you > with random logged in clients even past their timeout > > The causes could be as simple as a browser crash or network > disconnect, or as nefarious as a rogue client. > > -jason > > On Apr 16, 2009, at 9:53 AM, Vitali Lovich wrote: > >> >> I used both. >> >> It depends what kind of behaviour you want. Here's what I have in the >> class that implements the onModuleLoad: >> >> @Override >> public void onPreviewNativeEvent (NativePreviewEvent preview) >> { >> if (closingRegistration == null) >> // not logged in yet >> return; >> >> switch (preview.getTypeInt()) >> { >> case Event.KEYEVENTS: >> case Event.MOUSEEVENTS: >> case Event.ONCLICK: >> case Event.ONDBLCLICK: >> case Event.ONMOUSEWHEEL: >> logoutWarn.schedule(LoginModel.SESSION_TIMEOUT >> - >> LoginModel.SESSION_WARN_TIMEOUT / LOGOUT_SPEED); >> >> Controller.viewUpdated(Application.View.USER_ACTION, null); >> break; >> } >> } >> >> logoutWarn is just a Timer object that (the arithmetic there is just >> for some animation stuff that warns the user there's a logout >> approaching due to inactivity). Controller.viewUpdated simply sends >> an RPC to the server telling it that there was a user action (i.e. >> refresh the session on the server side). This isn't a direct RPC call >> though. It keeps postponing the RPC call (which is done within a >> timer) until a threshold is reached. >> >> On the server side, I persist sessions in the database. Every RPC >> call refreshes the session in the database. If a session is not >> valid, that'll throw an specific exception - all RPC callbacks are >> actually wrapped in a central callback that handles server errors >> (i.e. if the server responds with not authenticated, it'll force a >> logout of the UI). >> >> Also, when the UI logs out due to inactivity, it sends an RPC call to >> the server telling it the session has been invalidated (not strictly >> necessary, but just a security thing) & removes any session related >> cookies. >> >> Hope this helps. >> >> On Thu, Apr 16, 2009 at 11:32 AM, Jason Essington >> <[email protected]> wrote: >>> >>> You'd probably want to control that on the server side, so a session >>> timeout would be the simplest method. >>> >>> -jason >>> >>> On Apr 16, 2009, at 8:23 AM, Mark wrote: >>> >>>> >>>> HI all. >>>> >>>> I am new to GWT. >>>> >>>> I want to implement an auto logout feature for my application. >>>> >>>> Any ideas will be most welcome as I am bleak. >>>> >>>> Mark >>>> >>>>> >>> >>> >>>> >> >> > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
