Hi Sebastian, thank you for your reply!
It's fine that I do not need to deal with the session ID and that this stuff is hidden within the servlet framework. But how should I then apply the login/remember cookbook mentioned above (LoginSecurity-FAQ), which tells me to store the session ID in some cookie so the browser can remember the user when he comes back? http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ The FAQ - which was made for GWT! - says that I should store the session ID in a cookie after login: String sessionID = /*(Get sessionID from server's response to your login request.)*/; final long DURATION = 1000 * 60 * 60 * 24 * 14; //duration remembering login. 2 weeks in this example. Date expires = new Date(System.currentTimeMillis() + DURATION); Cookies.setCookie("sid", sessionID, expires, null, "/", false); The following code should be used to remember the users session at the EntryPoint: String sessionID = Cookies.getCookie("sid"); if ( sessionID != null ) checkWithServerIfSessionIdIsStillLegal(); else displayLoginBox(); However, saying that I do not need to deal with session IDs also means that I cannot use this method. But the LoginSecurity-FAQ was made for GWT-applications: Can you help me out of this contradiction? Thanks Magnus On Aug 8, 4:05 pm, Sebastian Rothbucher <[email protected]> wrote: > Hi Magnus, > > when using a Servlet Container, you don't have to worry about such > stuff at all: as soon as you use request.getSession().setAttribute() / > request.getSession().getAttribute(), you work with the user's session. > Internally, this session has an ID but this ID is normally hidden for > you (when you use TamperData with Firefox, you can make the JSESSIONID > value visible). So, I'd agree with you not to send the primary key of > the user anywhere - just leave it in the server side user session.... > > Hope this helps - best regards > Sebastian Rothbucher > > On 8 Aug., 03:55, Magnus <[email protected]> wrote: > > > Hi, > > > the LoginSecurity-FAQ as well as many other tutorials refers to a > > session > > ID:http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecur... > > > Why should I use something like an "ID" for a session? I simply store > > the primary key of the current user in my session and it seems to be > > enough. > > > The special topic in this FAQ is the remember functionality: Store the > > Session ID in a Cookie so that the user does not need to login every > > time. Should I store the User ID there? > > > Isn't this dangerous? I believe that any client can manipulate its > > cookies to arbitrary values... > > > Magnus -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
