Hi Magnus,
when using a Servlet Container, you don't have to worry about such
stuff at all: as soon as you use request.getSession().setAttribute() /
request.getSession().getAttribute(), you work with the user's session.
Internally, this session has an ID but this ID is normally hidden for
you (when you use TamperData with Firefox, you can make the JSESSIONID
value visible). So, I'd agree with you not to send the primary key of
the user anywhere - just leave it in the server side user session....
Hope this helps - best regards
Sebastian Rothbucher
On 8 Aug., 03:55, Magnus <[email protected]> wrote:
> Hi,
>
> the LoginSecurity-FAQ as well as many other tutorials refers to a
> session
> ID:http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecur...
>
> Why should I use something like an "ID" for a session? I simply store
> the primary key of the current user in my session and it seems to be
> enough.
>
> The special topic in this FAQ is the remember functionality: Store the
> Session ID in a Cookie so that the user does not need to login every
> time. Should I store the User ID there?
>
> Isn't this dangerous? I believe that any client can manipulate its
> cookies to arbitrary values...
>
> Magnus
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
