Just thinking. When right-clicking a Hyperlink, which starts a new instance of the app in a separate window/tab, how would one figure out the user (that is logged in to the original instance)? I assume the new instance starts up (onModuleLoad()) and knows nothing about the instance from which it was started.
One idea is to pass the user on the URL, but would that be secure? Is there a standard way to do this? On Sunday, June 3, 2012 6:30:39 PM UTC-7, Thomas Broyer wrote: > > > > On Monday, June 4, 2012 12:06:42 AM UTC+2, Mike Dee wrote: >> >> And opening a new window is when authentication comes into play. The >> user hasn't logged into the new instance of the application (opened in the >> new window). Hence we are back to the original problem. >> >> With a regular web app, this wouldn't be a problem. The state of whether >> the user is logged in is maintained on the server (in session variables). >> In the case of GWT, the state of whether the user is logged is in >> maintained on the client. >> > > Not necessarily; and if you're doing it that way, then IMO you're either > "over-secure" (at the detriment of UX, which is fine if it's a conscious > choice) or you're doing it wrong. > > First, I find it way easier to handle authentication separate from the GWT > app, and just consider the user is logged in when/if it loads the GWT app. > That way, you only have to handle the case that the user has been > disconnected and tell him to refresh the page in order to re-authenticate. > And if you open the app while you're already authenticated (using cookies > or whatever, but this is dealt with the server, unknown to the GWT app) > then it "just works": the GWT app does not know (and does not need to know) > whether you just authenticated or you reloaded the page, or went back to > the app while your authentication session was still active, or opened the > app in another window/tab; it just loads, and you're authenticated. > > But even if you handle authenticating from within the app, you can very > well set a cookie after authentication and check it onModuleLoad (I did it > once, it works, in practice, not only theoretically). > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/6zb2US25fQoJ. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
