I've been switching my RPC calls to use XsrfTokenServiceServlet per this
link
https://developers.google.com/web-toolkit/articles/security_for_gwt_applications#cross-site
It's working quite well except that I occasionally get this error on the
first RPC method call.
Exception while dispatching incoming RPC
call com.google.gwt.user.server.rpc.UnexpectedException: Service
method 'public abstract
com.google.gwt.user.client.rpc.XsrfToken
com.google.gwt.user.client.rpc.XsrfTokenService.getNewXsrfToken()' threw
an unexpected exception: com.google.gwt.user.client.rpc.RpcTokenException:
Invalid RPC token (Session cookie is not set or empty! Unable to generate
XSRF cookie)
I found one other group message about this but wasn't sure what's the best
fix. The workaround I'm using at the moment is to set this in the client
when my app starts:
Random random = new Random();
Cookies.setCookie("JSESSIONID", Long.toString(random.nextLong()));
However this raises a number of questions/problems.
- How to guarantee that JSESSIONID is the right cookie name as the actual
name is defined in web.xml.
- Do I have to configure any expiration?
- Seems like a server solution would be better but I didn't find one that
works.
Or is it preferred to just not protect the first RPC method?
How have others solved this? (Seems like if this is expected to be an
issue...GWT would have mentioned it in the link.)
Thanks,
-Dave
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/google-web-toolkit/-/ZZQoavF2TMkJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
