Session management in GWT without using Java on the server?
I am using GWT for my client application. I am not using GWT / Java for the server. However, I'm not sure how I can handle session management. The GWT app is on one page, all server calls are made via AJAX. If the session expires on the server ... let's assume the user didn't close the browser but leave the application open, how will my server notify the application to end the session and that the client-side part should show the login screen again?
What is client-side session management? This seems inherently insecure.
I am not looking for code. I am looking for ideas, methods, potential solutions, etc. I've looked at Comet http://en.wikipedia.org/wiki/Comet_(programming) , but it doesn't seem to work very well without using Java on the server side. Maybe I'm wrong? I also don't want to poll the server.
Any thoughts or insights?
source to share
Without knowing how you work, RPC works, its hard to give good advice.
If your AJAX service requires the user to be authenticated (IE has a valid session), you can simply send a 401 error message indicating that the user is not valid. The client side can interpret the 401 error as a message that it should configure the user to re-authenticate.
source to share
We handled this in our application, detecting when the server sent back a redirect to the login screen (it came through in response to an Ajax call) and brought up a dialog again asking the user for a password, but pre-filled in their username. We then sent the same as the login page as if it was a login page and so the user was automatically logged into this new session. Finally, we re-sent the ajax call again, so it was a simple process for the user (ex: they didn't have to push the action again).
Since we saved all state on the client and not in session variables, we had no problem trying to save data across sessions.
source to share
What happens if the session expired on the server side, and the next time the client sends a request to the server, it will either create a new session, or rather send the client a message, it tries to access the page without a session and send them to the login screen into the system. However, you still have to wait for the client to send a message to the server.
source to share