After reading a lot about this topic, I have the following questiong. My scenario is a login page (user/psw) and then depending on the user role, he can navigate/view some panels or others.
Is this log-in flux correct?: 1-Client sends usr/psw 2-Server verifies it an if it is correct, load the object which contains user id and privileges (called "SessionData") and save in session: this.getThreadLocalRequest().getSession(true).setAttribute(SessionData.USER_INFO, new SessionData(d)); 3-The server returns the object "SessionData" to the client. Now, as the client saves the object like a singleton which can be accesed by all the Composites, I know what I have to show to the user. Is this correct? My second question is, at the time of making RPC calls to the server, why it is not secure to identify the client by: this.getThreadLocalRequest().getSession()? I have read that it is necessary to send the session id in the payload of the call, but I do not know why. Is becouse when the server does "this.getThreadLocalRequest().getSession()" it takes the session from cookies? The solution is to send the session id in the payload of the call and compare it in the server? If I use SSL, is also necessary to send the session ID in the payload? Thank you all in advance for your answers, I hope I can understand this. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
