GWT - Getting session management right

Question

I'm trying to implement a simple session management mechanism in GWT, and I'm still not quite sure if I got it right:

1. First, in onModuleLoad, I check if a sessionID cookie exists. If it exists, I call the server to see if it is still valid. If it is, I return a User object which contains the sessionID and full username (I need this within my application).
2. If it doesn't exist, I diplay a Login dialog. The user enters username and password. I call my AuthenticationService, check if the username + password is valid, then return a User object. The sessionID gets stored the cookie.
3. When loggin out, I delete the sessionID cookie.

This is how the sessionID gets created:

String sessionID = UUID.randomUUID().toString();

Is this so far correct?

Answer 1

In my GWT application, I want to establish a session on the client side. For this purpose, I created a timer and for each and every navigation event I check the Timer. If the timer's time limit is exceeded then I render the Login Panel. For detailed code See this

Answer 2

No need to have a timer, just set cookie expiration on the client. In general, each client request within the allowed "active" time frame should both update the cookie's expiration (shift it forward) and server side session expiration (!important).

Answer 3

GWT session management

This might help too. I have gone with your method too, where I needed much wider user access control. Also you should take a look at SSL. Go with a method that suits your needs.