Hi all, I have an application that does some simple login and session management. I'm not using any particular frameworks. Here are the basics of what I'm doing:
1) The user logs in via the front end 2) The credentials are authenticated on the server side using GWT-RPC 3a) The server side returns a dumbed down User POJO with the session ID set to the client 3b) The server side keeps a fully populated User POJO (including the session ID) using getThreadLocalRequest().getSession().setAttribute("user", userFromDB); 4) In each GWT-RPC, the client side sends the User POJO it has in the parameters (for any RPCs that require some authentication/access control) 5) The server side gets the session ID in the RPC param User POJO and compares it with the session ID stored in the User POJO from getThreadLocalRequest().getSession().getAttribute("user") If this checks out, the RPC is executed. (please also point out of this way of authenticating is not ideal/secure) This has worked for me fine, however I've found that when I'm testing and have multiple instances of the program open (one running on port 8888 and one 8889) some funny things start to happen: * Instance on 8888 starts, and user logs in: [18:06:46,026] DEBUG SessionManager:66 - User bob logged in with SID: 15vqhpc1r06yi * Instance on 8889 starts, and user logs in: [18:07:04,667] DEBUG SessionManager:66 - User bob logged in with SID: sd560k3liwvl Instance 8888's RPC fails: [18:07:06,230] ERROR SessionManager:110 - getSession has no user object: [18:07:06,230] ERROR SessionManager:111 - client sent: bob, sid: 15vqhpc1r06yi [18:07:06,230] ERROR SessionManager:112 - server session sid: 1pwzxs8dyzfbn Instance 8889's RPC also fails: [18:07:09,901] ERROR SessionManager:110 - getSession has no user object: [18:07:09,901] ERROR SessionManager:111 - client sent: bob, sid: sd560k3liwvl [18:07:09,901] ERROR SessionManager:112 - server session sid: nkiyx2iip6l6 This does NOT happen if the two instances are running on different servers, or I have two browsers both pointing to the same instance. I'm testing using the latest version of Chrome. Is there some gap in my understanding? It seems as though getSession isn't returning the session I expected when I have two instances running on the same server? public static User loginUser(User user, HttpServletRequest request) { user.setSessionId(request.getSession().getId()); user.setPassword(null); request.getSession().setMaxInactiveInterval(-1); request.getSession().setAttribute("user", user); log.debug("User "+user.getUsername()+" logged in with SID: "+user.getSessionId()); return user; } public static void checkUser(User user, HttpServletRequest request) throws AuthenticationException { String payloadSID = user.getSessionId(); User serverUser = (User)request.getSession().getAttribute("user"); if (serverUser == null) { log.error("getSession has no user object: "); log.error("\tclient sent: "+user.getUsername()+", sid: "+user.getSessionId()); log.error("\tserver session sid: "+request.getSession().getId()); throw new AuthenticationException(); } String serverUserSID = serverUser.getSessionId(); if (!serverUserSID.equals(payloadSID)) { log.error("Payload/Server SID mismatch for "+user.getUsername()); log.error("Payload SID: "+user.getSessionId()); log.error("Request SID: "+serverUserSID); throw new AuthenticationException(); } } -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.