If you store the session ID in a cookie so that user logins can persist beyond browser refreshes (as suggested in the FAQ), then the session ID will end up in the header anyway.
eags wrote: > I am implementing user logins and authentication using the model > presented in the login security FAQ. In particular I plan on manually > maintaining a table of {sessionID,User,timeout} values for each active > session and not using the normal servlet session functionality. > > So, my question is, where do I get the ID that is returned to the > client? I know that I can get one from the servlet session using > HttpServletRequest.getSession().getid() but it seems like I could just > use any randomly generated key right? And maybe I if face should not > use that technique because that sessionID is also in the header where > it can be easily snooped right? So, what is a good technique for > generating the sessionID? To avoid duplicates I would just check the > sessionID table before returning the sessionID to the client and if it > is already in use I just call generateSessionID() again. So my > question is what should getSessionID() look like? > > I realize the recommended approach in the LoginSecurityFAQ is > controversial and I've already read all that debate so I'm not really > interested in more of that. I just need specific help regarding these > questions assuming I am doing what is recommended in the FAQ. > > Thanks in advance for any help. > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---