I have few basic questions on session management in GWTP.
- Now, we create a new session when the user logs in to application. Now, I can open a browser and type in the app url with a token directly without logging in. It will render the UI page to user without any checks. Now, we have session checks in server side. So if the UI page make s a server call on rendering then only, I will get to know session is not valid and i can redirect him to login page. But, how do we handle the cases where UI page does not have any server side logic and user directly paste the URL with that token.
Do I have to make a server call on every page request from GWTP presenter just to check session is valid? or do we have any other approaches to it?
-
I am not passing any explicit session id param from GWT Client to server. Its only the JSessionId getting passed automatically from browser to server. We just do request.getSession() in server and see if it is null or not(Not logged in if null). So I hope we dont have any security issues with this. Please confirm.
-
With GWT client running on android and server side logic exposed as Restful Web services using Jersey, how do we maintain session because Restful WS are stateless. Now how do we achieve user session in this case?
No. you don’t required to make server call every time. when u logged then set current user only once in logged keeper class. @UseGatekeeper annotation check current user instance only not make any server call. if current user is exist then It will return true from canReveal method.
And It will allow to access that presenter name token in url.
Suppose you don’t required any session access it then use @NoGatekeeper instead of it.
A.1 U can use jsession there is no any security issue.
A.2 By using JSESSION id, u can pass jsession id to do server call because server do work if it will get same session.