Auto Logout Feature
182 views
Skip to first unread message
Mark
Apr 16, 2009, 10:23:34 AM4/16/09
to Google Web Toolkit, kayiwa...@gmail.com
HI all.
I am new to GWT.
I want to implement an auto logout feature for my application.
Any ideas will be most welcome as I am bleak.
Mark
I am new to GWT.
I want to implement an auto logout feature for my application.
Any ideas will be most welcome as I am bleak.
Mark
Jason Essington
Apr 16, 2009, 11:32:51 AM4/16/09
to Google-We...@googlegroups.com, kayiwa...@gmail.com
You'd probably want to control that on the server side, so a session
timeout would be the simplest method.
-jason
timeout would be the simplest method.
-jason
Vitali Lovich
Apr 16, 2009, 11:53:47 AM4/16/09
to Google-We...@googlegroups.com, kayiwa...@gmail.com
I used both.
It depends what kind of behaviour you want. Here's what I have in the
class that implements the onModuleLoad:
@Override
public void onPreviewNativeEvent (NativePreviewEvent preview)
{
if (closingRegistration == null)
// not logged in yet
return;
switch (preview.getTypeInt())
{
case Event.KEYEVENTS:
case Event.MOUSEEVENTS:
case Event.ONCLICK:
case Event.ONDBLCLICK:
case Event.ONMOUSEWHEEL:
logoutWarn.schedule(LoginModel.SESSION_TIMEOUT -
LoginModel.SESSION_WARN_TIMEOUT / LOGOUT_SPEED);
Controller.viewUpdated(Application.View.USER_ACTION, null);
break;
}
}
logoutWarn is just a Timer object that (the arithmetic there is just
for some animation stuff that warns the user there's a logout
approaching due to inactivity). Controller.viewUpdated simply sends
an RPC to the server telling it that there was a user action (i.e.
refresh the session on the server side). This isn't a direct RPC call
though. It keeps postponing the RPC call (which is done within a
timer) until a threshold is reached.
On the server side, I persist sessions in the database. Every RPC
call refreshes the session in the database. If a session is not
valid, that'll throw an specific exception - all RPC callbacks are
actually wrapped in a central callback that handles server errors
(i.e. if the server responds with not authenticated, it'll force a
logout of the UI).
Also, when the UI logs out due to inactivity, it sends an RPC call to
the server telling it the session has been invalidated (not strictly
necessary, but just a security thing) & removes any session related
cookies.
Hope this helps.
It depends what kind of behaviour you want. Here's what I have in the
class that implements the onModuleLoad:
@Override
public void onPreviewNativeEvent (NativePreviewEvent preview)
{
if (closingRegistration == null)
// not logged in yet
return;
switch (preview.getTypeInt())
{
case Event.KEYEVENTS:
case Event.MOUSEEVENTS:
case Event.ONCLICK:
case Event.ONDBLCLICK:
case Event.ONMOUSEWHEEL:
logoutWarn.schedule(LoginModel.SESSION_TIMEOUT -
LoginModel.SESSION_WARN_TIMEOUT / LOGOUT_SPEED);
Controller.viewUpdated(Application.View.USER_ACTION, null);
break;
}
}
logoutWarn is just a Timer object that (the arithmetic there is just
for some animation stuff that warns the user there's a logout
approaching due to inactivity). Controller.viewUpdated simply sends
an RPC to the server telling it that there was a user action (i.e.
refresh the session on the server side). This isn't a direct RPC call
though. It keeps postponing the RPC call (which is done within a
timer) until a threshold is reached.
On the server side, I persist sessions in the database. Every RPC
call refreshes the session in the database. If a session is not
valid, that'll throw an specific exception - all RPC callbacks are
actually wrapped in a central callback that handles server errors
(i.e. if the server responds with not authenticated, it'll force a
logout of the UI).
Also, when the UI logs out due to inactivity, it sends an RPC call to
the server telling it the session has been invalidated (not strictly
necessary, but just a security thing) & removes any session related
cookies.
Hope this helps.
Vitali Lovich
Apr 16, 2009, 11:55:28 AM4/16/09
to Google-We...@googlegroups.com, kayiwa...@gmail.com
Forgot to mention, you can ignore closingRegistration. When I'm
logged in, I detect if the user is navigating away from my app &
pop-up a confirmation.
logged in, I detect if the user is navigating away from my app &
pop-up a confirmation.
Jason Essington
Apr 16, 2009, 12:42:24 PM4/16/09
to Google-We...@googlegroups.com
Right, a client side timer is a nice user convenience, but don't make
the mistake of depending on the client side code to perform the
logout, you will always need a server side solution as well.
The client must always be considered un-trustworthy and unreliable. So
depending solely upon the client to log out will undoubtably leave you
with random logged in clients even past their timeout
The causes could be as simple as a browser crash or network
disconnect, or as nefarious as a rogue client.
-jason
the mistake of depending on the client side code to perform the
logout, you will always need a server side solution as well.
The client must always be considered un-trustworthy and unreliable. So
depending solely upon the client to log out will undoubtably leave you
with random logged in clients even past their timeout
The causes could be as simple as a browser crash or network
disconnect, or as nefarious as a rogue client.
-jason
Vitali Lovich
Apr 16, 2009, 1:03:03 PM4/16/09
to Google-We...@googlegroups.com
Yeah, I guess I shouldn't have made that assumption implicit. My
webapps are never trusted. Any validation I do on input is usually
duplicated on the server side (sometimes like password confirmation
there's no need). Actually more is usually done on the server as well
to make sure we're not getting malformed input like null pointers &
whatnot.
Every RPC call, except for the login, is always authenticated to make
sure it's a valid session.
Also, I keep the server stateless which I find tends to make things
easier to manage on the server. State across communication I find
tends to be related to maintaining the UI & the server can just
perform stateless actions that retrieve data and/or persist it without
knowing what the user has done previously.
The only server state is the session management which I persist in a
database thus the servlet itself is stateless.
webapps are never trusted. Any validation I do on input is usually
duplicated on the server side (sometimes like password confirmation
there's no need). Actually more is usually done on the server as well
to make sure we're not getting malformed input like null pointers &
whatnot.
Every RPC call, except for the login, is always authenticated to make
sure it's a valid session.
Also, I keep the server stateless which I find tends to make things
easier to manage on the server. State across communication I find
tends to be related to maintaining the UI & the server can just
perform stateless actions that retrieve data and/or persist it without
knowing what the user has done previously.
The only server state is the session management which I persist in a
database thus the servlet itself is stateless.
Reply all
Reply to author
Forward
0 new messages