Hi all, I have an application that's been in use for the last 6 months or so and will be going into production <2 months. I've now see two instances of the problem described below and I'm fairly lost on how it could possibly happen.
The client first needs to login. When the server authenticates the credentials sent by the client, the server returns a User object which has a subset of the user's properties (a 'light' user object), plus the session ID as retrieved on the server by calling getThreadLocalRequest().getSession().getId(). The server keeps a hashmap of session IDs against a fully populated user object (which includes their permissions properties amongst other things). Whenever a client accesses a GWT-RPC that should be protected, one of the parameters of the RPC is the light user object that the client has received from the server. The server authenticates this by: 1) Using HttpServletRequest.isRequestedSessionIdValid() 2) Comparing the session ID sent by the client (as stored in the light user object) and the one stored by the server's hashmap, and the one sent in the RPC's getThreadLocalRequest().getSession.getId(). Any inconsistency between the three raises an exception. Recently, the second occurrence of a weird error happened: The client has a timer which fires one of these RPCs every 5 seconds to refresh a table. This works really really well - we're using SmartGWT to have a grid that loads new data without the need to flicker or refresh (new rows simply appear, or existing rows update their data every 5 seconds). On this RPC's callback onFailure I just give a generic message with a caught.getMessage() appearing in a popup. I've had two instances reported by two different users on two different computers now (but both Chrome) this page has shown a popup showing my generic error, but the contents of the error is actually an error page ****from another website****. Its almost as though GWT made the RPC call to the wrong server! (the user sent me a screenie, and surely in my popup there's a 403 error from the gov website) This completely blows my mind. Both instances the error was from a different website (one was a horse racing site, one a government site). I haven't been able to confirm yet whether the users were actually on those sites at any stage or whether there were cookies from those sites (also note I do not specifically use the Cookies class, and I can verify in Chrome that the JSESSIONID cookie is set with the correct domain and path). I haven't been able to replicate this either. I'm open to any suggestions on how this could be possible. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
