Actually, I think the answer is here: http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
On Monday, June 4, 2012 10:40:53 AM UTC-7, Mike Dee wrote: > > Just thinking. When right-clicking a Hyperlink, which starts a new > instance of the app in a separate window/tab, how would one figure out the > user (that is logged in to the original instance)? I assume the new > instance starts up (onModuleLoad()) and knows nothing about the instance > from which it was started. > > One idea is to pass the user on the URL, but would that be secure? Is > there a standard way to do this? > > On Sunday, June 3, 2012 6:30:39 PM UTC-7, Thomas Broyer wrote: >> >> >> >> On Monday, June 4, 2012 12:06:42 AM UTC+2, Mike Dee wrote: >>> >>> And opening a new window is when authentication comes into play. The >>> user hasn't logged into the new instance of the application (opened in the >>> new window). Hence we are back to the original problem. >>> >>> With a regular web app, this wouldn't be a problem. The state of >>> whether the user is logged in is maintained on the server (in session >>> variables). In the case of GWT, the state of whether the user is logged is >>> in maintained on the client. >>> >> >> Not necessarily; and if you're doing it that way, then IMO you're either >> "over-secure" (at the detriment of UX, which is fine if it's a conscious >> choice) or you're doing it wrong. >> >> First, I find it way easier to handle authentication separate from the >> GWT app, and just consider the user is logged in when/if it loads the GWT >> app. That way, you only have to handle the case that the user has been >> disconnected and tell him to refresh the page in order to re-authenticate. >> And if you open the app while you're already authenticated (using cookies >> or whatever, but this is dealt with the server, unknown to the GWT app) >> then it "just works": the GWT app does not know (and does not need to know) >> whether you just authenticated or you reloaded the page, or went back to >> the app while your authentication session was still active, or opened the >> app in another window/tab; it just loads, and you're authenticated. >> >> But even if you handle authenticating from within the app, you can very >> well set a cookie after authentication and check it onModuleLoad (I did it >> once, it works, in practice, not only theoretically). >> > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/baLXrMk1SrMJ. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
