session id cookie in gwt rpc

java google-app-engine session cookies session-state
16,691

Solution 1

Using Servlet Sessions in GWT

In the remote service implementation class:

String jSessionId=this.getThreadLocalRequest().getSession().getId();

In the client code:

String jSessionId=Cookies.getCookie("JSESSIONID");

Enabling_Sessions

appengine-web.xml 

<sessions-enabled>true</sessions-enabled>

Solution 2

No, you shouldn't be rolling your own.

The session ID needs to be cryptographically random (not guessable from known sources). It's difficult to get this right yourself.

Solution 3

Ideally you should be relying on the underlying framework's session management features. Servlets & JSPs, Struts and Spring have this support, which you should use.

In the extremely rare case that you are writing your own framework with no underlying session management features to rely on, you could start with the java.security.SecureRandom class to begin with. Of course, don't reinvent the wheel here, for broken session management is the same as broken authentication.

Update

Given that you are using Google App Engine, you should rely on the session management features provided by the engine. It seems that it is not switched on by default.

Share:
16,691

Related videos on Youtube

antony.trupe
Author by

antony.trupe

husband, father, developer, tester, maker, business process analyst, usa citizen, human

Updated on June 04, 2022

Comments

  • antony.trupe
    antony.trupe almost 2 years

    Assuming I'm rolling my own session code, what's the right way to generate a unique and secure session id cookie in java.

    Should I not be rolling my own but using something that's already been standardized?

    I'm using gwt and the google app-engine platform.

    How do I make sessions persist across browser/server restarts?

  • Vineet Reynolds
    Vineet Reynolds over 14 years
    By the way, Axis 1.x does implement session management using the SecureRandom class. I'm not sure on why they chose it, but this is the only one-off case that I have encountered.
  • Vineet Reynolds
    Vineet Reynolds over 14 years
    More details on the Axis 1.x session management design can be found at wiki.apache.org/ws/FrontPage/Axis/SessionSupport. The supposed reason (that I could think of) for not using HttpSession is to support sessions across different protocols.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I put a cookie in Jersey RESTful webservice?
Configuring session cookies in Weblogic
Storing username, pasword using cookies/sessions - Java Servlets
Sending POST request with username and password and save session cookie
If session exist or not
How to prevent session timeout
Supporting Sessions Without Cookies in Tomcat
Best way for allowing subdomain session cookies using Tomcat
How to Handle the Session in Apache HttpClient 4.1
Best option for Session management in Java