问题
I am building a GWT application where I have 3 RootPanels one of which contains the login panel (userId and Password). My application is a one page application. In order to login the user's id and password is varified from the server through RPC and if the combination is correct the next Panel loads which is my main application. Since it is a one page application, I want to know how should I carry out session management in this application.
回答1:
Few ways I used in my different GWT applications
- Checking user's credentials on each RPC (client/server). Follow generic programming (obvious time delay in each RPC :-/)
- Using Thread Local (preferred way)
getThreadLocalRequest().getSession().setAttribute("user", user); //and get
- Use Cookies to allow the user's web browser to 'remember' the login.
- Few others which I'm not using. For ex : Local storage (
not secured, dependent)
回答2:
You can configure session in your applications web.xml and you can write session filter which will filter all or specific request to the server where you can verify whether your session is expired or valid. If it is expired you can redirect user to whatever page you want.
回答3:
One of the great advantages of a AJAX-application is the chance to work without a session on the server side. As far as I remember Ray Ryan mentioned also stateless services on the Google I/O presentation "Best practices for Architecting GWT Applicaitons" at the Google I/O 2009.
Having a session on the server side has some impacts:
- the session can expire
- it needs a lot of resources
- it makes load balancing a lot more complicated
Even if you have a session management on the server side, you have to check the user credentials on every server call! You can never be sure, that it is always your application that's calling your service!
So, I personally avoid using a session management on the server side in my GWT application.
Instead you can do something like that:
After a secuessful login, store some informations like userid, login time, ip address, etc. in a database table. Use the key of the record, encrypt it and send this token back to the client. All your services on the server side should require the userId and token as input parameters. Before you start doing your business logic, you should check the user credentials. Decrypt the token and read the record from the database table.
- no record found -> user not logged on
- not a valid database key -> user not logged on
- compare the stored userId with the one, you get from the server call -> not equal -> user not logged on
- compare the stored ip address with the one from the server call -> not equel -> user not logged on
and so on.
Also, you should always use SSL!
来源:https://stackoverflow.com/questions/32219842/session-management-in-gwt-client-side