Hi all,
I have an application that does some simple login and session
management. I'm not using any particular frameworks. Here are the
basics of what I'm doing:
1) The user logs in via the front end
2) The credentials are authenticated on the server side using GWT-RPC
3a) The server side returns a dumbed down User POJO with the session
ID set to the client
3b) The server side keeps a fully populated User POJO (including the
session ID) using
getThreadLocalRequest().getSession().setAttribute("user", userFromDB);
4) In each GWT-RPC, the client side sends the User POJO it has in the
parameters (for any RPCs that require some authentication/access
control)
5) The server side gets the session ID in the RPC param User POJO and
compares it with the session ID stored in the User POJO from
getThreadLocalRequest().getSession().getAttribute("user")
If this checks out, the RPC is executed. (please also point out of
this way of authenticating is not ideal/secure)
This has worked for me fine, however I've found that when I'm testing
and have multiple instances of the program open (one running on port
8888 and one 8889) some funny things start to happen:
* Instance on 8888 starts, and user logs in:
[18:06:46,026] DEBUG SessionManager:66 - User bob logged in with SID:
15vqhpc1r06yi
* Instance on 8889 starts, and user logs in:
[18:07:04,667] DEBUG SessionManager:66 - User bob logged in with SID:
sd560k3liwvl
Instance 8888's RPC fails:
[18:07:06,230] ERROR SessionManager:110 - getSession has no user
object:
[18:07:06,230] ERROR SessionManager:111 - client sent: bob, sid:
15vqhpc1r06yi
[18:07:06,230] ERROR SessionManager:112 - server session sid:
1pwzxs8dyzfbn
Instance 8889's RPC also fails:
[18:07:09,901] ERROR SessionManager:110 - getSession has no user
object:
[18:07:09,901] ERROR SessionManager:111 - client sent: bob, sid:
sd560k3liwvl
[18:07:09,901] ERROR SessionManager:112 - server session sid:
nkiyx2iip6l6
This does NOT happen if the two instances are running on different
servers, or I have two browsers both pointing to the same instance.
I'm testing using the latest version of Chrome.
Is there some gap in my understanding? It seems as though getSession
isn't returning the session I expected when I have two instances
running on the same server?
public static User loginUser(User user, HttpServletRequest request) {
user.setSessionId(request.getSession().getId());
user.setPassword(null);
request.getSession().setMaxInactiveInterval(-1);
request.getSession().setAttribute("user", user);
log.debug("User "+user.getUsername()+" logged in with SID:
"+user.getSessionId());
return user;
}
public static void checkUser(User user, HttpServletRequest request)
throws AuthenticationException {
String payloadSID = user.getSessionId();
User serverUser = (User)request.getSession().getAttribute("user");
if (serverUser == null) {
log.error("getSession has no user object: ");
log.error("\tclient sent: "+user.getUsername()+", sid:
"+user.getSessionId());
log.error("\tserver session sid:
"+request.getSession().getId());
throw new AuthenticationException();
}
String serverUserSID = serverUser.getSessionId();
if (!serverUserSID.equals(payloadSID)) {
log.error("Payload/Server SID mismatch for
"+user.getUsername());
log.error("Payload SID: "+user.getSessionId());
log.error("Request SID: "+serverUserSID);
throw new AuthenticationException();
}
}
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to google-web-tool...@googlegroups.com.
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
