For what it's worth I do a variation on #2. When a user authenticates the first time in the server side session I add a couple of attributes that are never visible client side. On any subsequent request to the server within my servlets I check to see if the session is null or not, then also are these special session attributes set. if not set I consider it an invalid, unauthorized request and kick them out of the app, back to the login screen.
To keep the session alive a client side timer is used to send a keep alive to the server every 45 seconds. This provides me with both the ability to keep the session timeouts low as well as notify the user within 45 seconds of network disconnect. -W On Thursday, June 21, 2012 2:34:44 AM UTC-5, Santosh wrote: > > Also, any ideas on question 2 and 3? > > On Jun 21, 12:33 pm, Santosh <[email protected]> wrote: > > In this way, you need to get hold of the server generated session id > > in client first time and use it to check whether session id stored is > > null or not. Just wanted to check, whether it would be a best practice > > solution? > > > > On Jun 21, 12:15 pm, Nikola Markovic <[email protected]> wrote: > > > > > > > > > > > > > > > > > 1. Keep your session id on the client aswell. That way you know if > you're > > > logged in, or not, on the client side. User can type in an URL and if > the > > > user isn't logged in, you can just switch to a login activity. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/yDjwFJeX-oMJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
