Sessions and Cookies to autologin in GWT

Question

i know there is a lot of questions on this already but I still didn't seem to find a definitive answer. What i'm looking to do is have users be remembered after they login for say 2 weeks or until they log out. Below is what I think should be happening and I was wondering if anyone with a bit more experience could tell me if i'm right or wrong.

User logs in for the first time. An RPC call to the server returns a 'UserInfo' object which includes with it a new sessionID. Aka on the server this happens and user is returned:

user.setSessionId(getThreadLocalRequest().getSession().getId());

Now after user is returned we must create Cookies to store the client side data. Am i correct in saying we need a Cookie to identify the current user and another for the sessionID:

final long DURATION = 1000 * 60 * 60 * 24 * 14; //duration remembering login - 2 weeks
Date expires = new Date(System.currentTimeMillis() + DURATION);

String sessionID = user.getSessionId();
String username = user.getUsername();
Cookies.setCookie("sessionID", sessionID, expires, null, "/", false);
Cookies.setCookie("username", username, expires, null, "/", false);

Now when the user comes back to the app at a later date we check the cookies and (provided they exists and have not been deleted for some reason such as an explicit log out from the user) use their values to check session validity via RPC to the server:

String sessionID = Cookies.getCookie("sessionID");
String username = Cookies.getCookie("username");

    if ( sessionID != null && username != null){
        AsyncCallback<UserInfo> callBack = new AsyncCallback<UserInfo>(){

            @Override
            public void onFailure(Throwable caught) {

                Window.alert("Error connecting to server.");


            }

            @Override
            public void onSuccess(Boolean sessionValid) {

                if (sessionValid)
                    loadInitialInterfaceForUser("username");
                else
                    loadLoginInterface();
            }

        };

    loginSvc.checkSessionValidity(sessionID,username, callBack);
    }

    else 
        loadLoginInterface();

Now, assuming what I have done so far is correct (which is a bit of a long shot :P) my real question is what exactly should I check at the server side checkSessionValidity(sessionID,username)?

Is it simply a case of fetching the user that I have stored serverside and comparing sessionID with the sessionID I have associated with user? Do I also check it hasn't expired?

I know this is a longwinded and perhaps not very well worded question... I'm struggling to get my head round it so any and all help is very welcome!

Cheers, Steve

score 5 · Accepted Answer · edited May 23 '17 at 12:22

5

Yes,that is a key thing to do.

Here is some interesting point discussed on that (Storing session id and username in DB)

Have a look on this (ofcourse you can check them in impl class instead of servlet)
how to check if a sessionId is valid in a servlet (java).

And here is an excellent example of Session Management in GWT

http://varuntayur.wordpress.com/2012/01/25/session-management-in-gwt

Read this also question on GWT, Cookies and webpage directing

edited May 23 '17 at 12:22

Community

1
1

answered Feb 23 '13 at 21:27

Suresh Atta

120,458
37
198
307

Hey man thanks very much for the response, the example has made things a bit clearer! One thing I was wondering is, in the example, when the user logs out he removes the user from session but does not invalidate the sessionID that is stored in the DB with the user? Should that not be done aswell? – SteveCallender Feb 24 '13 at 11:47
1

See you are mixing the two examples, either you have to maintain in the session or have to store the session id in the db. Need not do both. – Suresh Atta Feb 24 '13 at 12:02
Ahh okay I see. So provided I check that the sessionID stored in the Cookie against the sessionID stored in the DB I dont have to maintain session variables? – SteveCallender Feb 24 '13 at 12:08
Yes..you can maintain session variables too..but need not to store them in db .because you are validating only session id ..not all the session variables ,when he logs in again. – Suresh Atta Feb 24 '13 at 12:16

score 0 · Answer 2 · edited May 23 '17 at 10:26

0

Take a look at the following link.

Cannot use same cookie for multiple GWT applications

This might solve your problem.

edited May 23 '17 at 10:26

Community

1
1

answered Feb 25 '13 at 05:06

Abhijith Nagaraja

3,370
6
27
55

Sessions and Cookies to autologin in GWT

2 Answers2

Linked