ASTX813
ASTX813

Reputation: 313

Using sessions in GAE/J

I'm having a hard time piecing together the various threads I've read on the topic, so I'd love to know if I'm on the right track before I get too far. I'm trying to make persistent logins using sessions and cookies and the like. At this point, I feel I've got my head around the login sequence, right now I just have a user db, but I'll try to tackle OAuth at a later date.

Login:

  1. User enters credentials
  2. Creds are sent async to server (ideally via SSL, eventually)
  3. Passwords are never stored, only hashes are kept
  4. If creds are OK, server sends the value of this.getThreadLocalRequest().getSession().getId() back
  5. Callback method saves sessionID in a cookie and modifies the UI accordingly
  6. (logout method clears the cookie and calls this.getThreadLocalRequest().getSession().invalidate())

I get lost when I want a user to be able to come back and pick up where they left off without having to log back in. I get the sessionID back from the cookie (if there is one), and then I somehow need to ask the server to verify it's valid. Is there a method that takes a session ID and returns whether it's a valid session? Or do I somehow tell the current session to use that ID?

The end goal is that I want to include the session ID in RPC calls that should be restricted to logged in users, and the server side methods will validate the sid received by RPC before running. I don't have to keep a running list of valid sids, right? That's already being handled by GAE (yes, I have the <sessions-enabled> set)

Upvotes: 1

Views: 447

Answers (2)

Nick Johnson
Nick Johnson

Reputation: 101149

getSession returns a session object that can be used for persistent storage across requests. It already uses cookies to persist the session ID between requests. You don't need to get the session ID and store it separately in another cookie.

If you want to associate data with the user in the DB, either associate it with the session ID (eg, include the ID in the entity and look it up by ID) if you want it to be scoped to just the current session, or associate it with the user ID.

Unless you have a really, really compelling reason to invent your own user management, though, you really should be using the built in Google Accounts or OpenID support. You're not doing your users a service by forcing them to create yet another account for your site.

Upvotes: 1

systempuntoout
systempuntoout

Reputation: 74144

this.getThreadLocalRequest().getSession(false)

Returns the current HttpSession associated with this request and returns null in case it has no valid HttpSession.

Upvotes: 0

Related Questions