I just started implementing the same guide, and used a similar workaround 
to you:

if (Cookies.getCookie("JSESSIONID") == null) // We must have a session 
cookie in order to authenticate with the server

    Cookies.setCookie("JSESSIONID", Double.toString(Math.random()));

XsrfTokenServiceAsync xsrf = (XsrfTokenServiceAsync) 
GWT.create(XsrfTokenService.class);

//etc..


However, this workaround really doesn't sit well with me. Does anyone know 
what we're missing?

On Tuesday, July 24, 2012 3:02:45 PM UTC-7, dhoffer wrote:
>
> I've been switching my RPC calls to use XsrfTokenServiceServlet per this 
> link 
> https://developers.google.com/web-toolkit/articles/security_for_gwt_applications#cross-site
>
> It's working quite well except that I occasionally get this error on the 
> first RPC method call.  
>
> Exception while dispatching incoming RPC 
> call com.google.gwt.user.server.rpc.UnexpectedException: Service 
> method 'public abstract 
> com.google.gwt.user.client.rpc.XsrfToken 
> com.google.gwt.user.client.rpc.XsrfTokenService.getNewXsrfToken()' threw 
> an unexpected exception: com.google.gwt.user.client.rpc.RpcTokenException: 
> Invalid RPC token (Session cookie is not set or empty! Unable to generate 
> XSRF cookie)  
>
> I found one other group message about this but wasn't sure what's the best 
> fix.  The workaround I'm using at the moment is to set this in the client 
> when my app starts:
>
> Random random = new Random();
> Cookies.setCookie("JSESSIONID", Long.toString(random.nextLong()));
>
> However this raises a number of questions/problems.
> - How to guarantee that JSESSIONID is the right cookie name as the actual 
> name is defined in web.xml.
> - Do I have to configure any expiration?  
> - Seems like a server solution would be better but I didn't find one that 
> works.
>
> Or is it preferred to just not protect the first RPC method?
>
> How have others solved this?  (Seems like if this is expected to be an 
> issue...GWT would have mentioned it in the link.)
>
> Thanks,
> -Dave
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google Web Toolkit" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/google-web-toolkit/-/wJKGtMuCtwYJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/google-web-toolkit?hl=en.

Reply via email to