I just started implementing the same guide, and used a similar workaround
to you:
if (Cookies.getCookie("JSESSIONID") == null) // We must have a session
cookie in order to authenticate with the server
Cookies.setCookie("JSESSIONID", Double.toString(Math.random()));
XsrfTokenServiceAsync xsrf = (XsrfTokenServiceAsync)
GWT.create(XsrfTokenService.class);
//etc..
However, this workaround really doesn't sit well with me. Does anyone know
what we're missing?
On Tuesday, July 24, 2012 3:02:45 PM UTC-7, dhoffer wrote:
>
> I've been switching my RPC calls to use XsrfTokenServiceServlet per this
> link
> https://developers.google.com/web-toolkit/articles/security_for_gwt_applications#cross-site
>
> It's working quite well except that I occasionally get this error on the
> first RPC method call.
>
> Exception while dispatching incoming RPC
> call com.google.gwt.user.server.rpc.UnexpectedException: Service
> method 'public abstract
> com.google.gwt.user.client.rpc.XsrfToken
> com.google.gwt.user.client.rpc.XsrfTokenService.getNewXsrfToken()' threw
> an unexpected exception: com.google.gwt.user.client.rpc.RpcTokenException:
> Invalid RPC token (Session cookie is not set or empty! Unable to generate
> XSRF cookie)
>
> I found one other group message about this but wasn't sure what's the best
> fix. The workaround I'm using at the moment is to set this in the client
> when my app starts:
>
> Random random = new Random();
> Cookies.setCookie("JSESSIONID", Long.toString(random.nextLong()));
>
> However this raises a number of questions/problems.
> - How to guarantee that JSESSIONID is the right cookie name as the actual
> name is defined in web.xml.
> - Do I have to configure any expiration?
> - Seems like a server solution would be better but I didn't find one that
> works.
>
> Or is it preferred to just not protect the first RPC method?
>
> How have others solved this? (Seems like if this is expected to be an
> issue...GWT would have mentioned it in the link.)
>
> Thanks,
> -Dave
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/google-web-toolkit/-/wJKGtMuCtwYJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
