Sessions and Cookies to autologin in GWT

Question

i know there is a lot of questions on this already but I still didn't seem to find a definitive answer. What i'm looking to do is have users be remembered after they login for say 2 weeks or until they log out. Below is what I think should be happening and I was wondering if anyone with a bit more experience could tell me if i'm right or wrong.

User logs in for the first time. An RPC call to the server returns a 'UserInfo' object which includes with it a new sessionID. Aka on the server this happens and user is returned:

user.setSessionId(getThreadLocalRequest().getSession().getId());

Now after user is returned we must create Cookies to store the client side data. Am i correct in saying we need a Cookie to identify the current user and another for the sessionID:

final long DURATION = 1000 * 60 * 60 * 24 * 14; //duration remembering login - 2 weeks
Date expires = new Date(System.currentTimeMillis() + DURATION);

String sessionID = user.getSessionId();
String username = user.getUsername();
Cookies.setCookie("sessionID", sessionID, expires, null, "/", false);
Cookies.setCookie("username", username, expires, null, "/", false);

Now when the user comes back to the app at a later date we check the cookies and (provided they exists and have not been deleted for some reason such as an explicit log out from the user) use their values to check session validity via RPC to the server:

String sessionID = Cookies.getCookie("sessionID");
String username = Cookies.getCookie("username");

    if ( sessionID != null && username != null){
        AsyncCallback<UserInfo> callBack = new AsyncCallback<UserInfo>(){

            @Override
            public void onFailure(Throwable caught) {

                Window.alert("Error connecting to server.");


            }

            @Override
            public void onSuccess(Boolean sessionValid) {

                if (sessionValid)
                    loadInitialInterfaceForUser("username");
                else
                    loadLoginInterface();
            }

        };

    loginSvc.checkSessionValidity(sessionID,username, callBack);
    }

    else 
        loadLoginInterface();

Now, assuming what I have done so far is correct (which is a bit of a long shot :P) my real question is what exactly should I check at the server side checkSessionValidity(sessionID,username)?

Is it simply a case of fetching the user that I have stored serverside and comparing sessionID with the sessionID I have associated with user? Do I also check it hasn't expired?

I know this is a longwinded and perhaps not very well worded question... I'm struggling to get my head round it so any and all help is very welcome!

Cheers, Steve

Answer 1

Yes,that is a key thing to do.

Here is some interesting point discussed on that (Storing session id and username in DB)

Have a look on this (ofcourse you can check them in impl class instead of servlet)
how to check if a sessionId is valid in a servlet (java).

And here is an excellent example of Session Management in GWT

http://varuntayur.wordpress.com/2012/01/25/session-management-in-gwt

Read this also question on GWT, Cookies and webpage directing