Loggin management in GWT
with sessionId
If you don’t want to waste
time reading my ‘good’ English can and must skip to ‘How to achieve’ section.
As google provide lots of space and features to host an app all must think to develop a good site which provides a good user experience. Even when I came to develop one, first ‘STONE’ came between was a loggin management. As usual I thought to manage it via simple verification process, but still got so many security breach, when I google and ask to experts all say a common solution is to develop a session when a user loggin and use it to manage further transaction or interaction of client. So here I am going to brief what I did to make it happen on my google app. As I told this is just a brief if you had queries or further solutions or extra portions that you think must do with this, don’t forget to add it up , or at least link us to where the info is.
As google provide lots of space and features to host an app all must think to develop a good site which provides a good user experience. Even when I came to develop one, first ‘STONE’ came between was a loggin management. As usual I thought to manage it via simple verification process, but still got so many security breach, when I google and ask to experts all say a common solution is to develop a session when a user loggin and use it to manage further transaction or interaction of client. So here I am going to brief what I did to make it happen on my google app. As I told this is just a brief if you had queries or further solutions or extra portions that you think must do with this, don’t forget to add it up , or at least link us to where the info is.
Lets understand what actually session, and
co-related word cookies and what it for.
In computer science,
in particular networking, a session is a
semi-permanent interactive information interchange, also known as a dialogue, a
conversation or a meeting, between two or more communicating devices, or
between a computer and user (see Login session).
A session is set up or established at a certain point in time, and torn down at
a later point in time. An established communication session may involve more
than one message in each direction. A session is typically, but not always, state full,
meaning that at least one of the communicating parts needs to save information
about the session history in order to be able to communicate, as opposed to stateless communication,
where the communication consists of independent requests with responses.
An established session is the basic requirement to perform a connection-oriented communication.
A session also is the basic step to transmit in connectionless communication modes.
However any unidirectional transmission does not define a session.
What is cookie?
Also called a transient cookie,
a cookie that is
erased when the user closes the Web browser. The session
cookie is stored in temporary memory and is not retained after the browser is
closed. Session cookies do not collect information from the user’s computer.
They typically will store information in the form of a session identification
that does not personally identify the user.
The main difference between cookies
and sessions is that cookies are stored in the user's browser, and sessions are
not. This difference determines what each is best used for. A cookie can keep
information in the user's browser until deleted. If a person has a login and
password, this can be set as a cookie in their browser so they do not have to
re-login to your website every time they visit. You can store almost anything
in a browser cookie. The trouble is that a user can block cookies or delete
them at any time. If, for example, your website's shopping cart utilized
cookies, and a person had their browser set to block them, then they could not
shop at your website.
How to achieve
Okay, it seems we know what we going
to do. In brief we have to create some value to identify who is interacting through
the service. So needed to create an id, we
can do it via, java.util.UUID, a class that represents an immutable universally
unique identifier (UUID). A UUID represents a 128-bit value. There exist different variants of these global
identifiers. The methods of this class are for manipulating the Leach-Salz
variant, although the constructors allow the creation of any variant of UUID.
So in GWT service when we have a success full login, I done like this:
String sessionId = null;
sessionId
= UUID.randomUUID().toString();
getUser.setSessionID(sessionId);
pm.makePersistent(getUser);
return
sessionId;
So if valid user, new
session id is stored with his information for each login, and it send back to
client.
On client side store this
id in browser and send it with each transaction and verify user by comparing
the value stored in database with that user information.
Code to store value on
client side or in browser:
@Override
public
void onSuccess(String result) {
Cookies.setCookie(SESSION_COOKIE_KEY_NAME,
result);
}
That’s it. Now upon your
logic can implement a time out in server side to erase the value after a
particular time. Or can create new id after each successful validation for high
secured app. What if you know the session id stored in cookie and service to
call!
J
Thanks
Any queries and doubt
regarding this are welcoming...
No comments:
Post a Comment