The session cookie should always be present because of your login process. You don't need an XSRF token during login but once you have successfully authenticated (and thus a session id is available) the very first thing to do is to fetch a XSRF token from the server. So basically your login() and getNewXsrfToken() methods are not protected with an XSRF token.
Personally I like to have two apps, the first one is just a very small login app (not necessarily a GWT app) that does not use XSRF Tokens at all and the second app is the real GWT app. Once the real app starts the very first thing it does is to fetch an XSRF token and then use it for all other requests, like fetching the logged in user information which would probably the second thing to do. If I can't get an XSRF token for any reason I redirect to the login app. In this scenario you could also use a dynamic host page for the real app and let the server dynamically include the XSRF token and user information right into the host page so you can read it with GWT using the Dictionary class. That would save some requests on app startup. But personally I don't do that for now. -- J. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/dtmqpbMAa98J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
