Re: Why should I need a Session ID?

Hi Sebastian,

thank you for your reply!

It's fine that I do not need to deal with the session ID and that this
stuff is hidden within the servlet framework.

But how should I then apply the login/remember cookbook mentioned
above (LoginSecurity-FAQ), which tells me to store the session ID in
some cookie so the browser can remember the user when he comes back?

http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ

The FAQ - which was made for GWT! - says that I should store the
session ID in a cookie after login:

String sessionID = /*(Get sessionID from server's response to your
login request.)*/;
final long DURATION = 1000 * 60 * 60 * 24 * 14; //duration
remembering login. 2 weeks in this example.
Date expires = new Date(System.currentTimeMillis() + DURATION);
Cookies.setCookie("sid", sessionID, expires, null, "/", false);

The following code should be used to remember the users session at the
EntryPoint:

String sessionID = Cookies.getCookie("sid");
if ( sessionID != null ) checkWithServerIfSessionIdIsStillLegal();
else displayLoginBox();

However, saying that I do not need to deal with session IDs also means
that I cannot use this method. But the LoginSecurity-FAQ was made for
GWT-applications:

Can you help me out of this contradiction?

Thanks
Magnus

On Aug 8, 4:05 pm, Sebastian Rothbucher
<sebastian.rothbuc...@clarities.de> wrote:
> Hi Magnus,
>
> when using a Servlet Container, you don't have to worry about such
> stuff at all: as soon as you use request.getSession().setAttribute() /
> request.getSession().getAttribute(), you work with the user's session.
> Internally, this session has an ID but this ID is normally hidden for
> you (when you use TamperData with Firefox, you can make the JSESSIONID
> value visible). So, I'd agree with you not to send the primary key of
> the user anywhere - just leave it in the server side user session....
>
> Hope this helps - best regards
> Sebastian Rothbucher
>
> On 8 Aug., 03:55, Magnus <alpineblas...@googlemail.com> wrote:
>
> > Hi,
>
> > the LoginSecurity-FAQ as well as many other tutorials refers to a
> > session ID:http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecur...
>
> > Why should I use something like an "ID" for a session? I simply store
> > the primary key of the current user in my session and it seems to be
> > enough.
>
> > The special topic in this FAQ is the remember functionality: Store the
> > Session ID in a Cookie so that the user does not need to login every
> > time. Should I store the User ID there?
>
> > Isn't this dangerous? I believe that any client can manipulate its
> > cookies to arbitrary values...
>
> > Magnus

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.