Session IDs, user credentials, and distributed deployment
21 views
Skip to first unread message
dane.molotok
Jul 24, 2010, 1:58:29 AM7/24/10
to Google Web Toolkit
I'm stuck on how to implement the server-side code for my app. At app
startup I want to authenticate the user, leave the credentials on the
server side and use the session ID for the client to make future calls
that need to be authenticated, in lieu of sending the user credentials
over the wire for every call. I believe to use that session ID from
the client for future calls I will have a problem if my server is
distributed. So if my first call to authenticate goes to one JVM, and
the second call gets redirected by a load balancer to a second JVM,
that second JVM won't recognize that session ID. I would assume this
problem has to have been solved before, for example the Google App
Engine mentions in its documentation that you're not guaranteed to get
the same app server serving your request from one request to the next.
Thanks in advance.
startup I want to authenticate the user, leave the credentials on the
server side and use the session ID for the client to make future calls
that need to be authenticated, in lieu of sending the user credentials
over the wire for every call. I believe to use that session ID from
the client for future calls I will have a problem if my server is
distributed. So if my first call to authenticate goes to one JVM, and
the second call gets redirected by a load balancer to a second JVM,
that second JVM won't recognize that session ID. I would assume this
problem has to have been solved before, for example the Google App
Engine mentions in its documentation that you're not guaranteed to get
the same app server serving your request from one request to the next.
Thanks in advance.
Peter Simun
Jul 24, 2010, 5:16:32 AM7/24/10
to Google Web Toolkit
Hi Dane,
you are right, this has been solved before :) For example you can
transfer your sessionId in your RPC payload and then correctly pair
request with session on the server side. This approach was implemented
in acris framework and described in the security chapter here:
http://code.google.com/p/acris/wiki/Security
Only problem is with the App Engine, because acris-security is not
currently deployable on App engine but anyway, you can inspire by the
solution or extend it to be deployable on app engine. Help is very
appreciated.
Peter
you are right, this has been solved before :) For example you can
transfer your sessionId in your RPC payload and then correctly pair
request with session on the server side. This approach was implemented
in acris framework and described in the security chapter here:
http://code.google.com/p/acris/wiki/Security
Only problem is with the App Engine, because acris-security is not
currently deployable on App engine but anyway, you can inspire by the
solution or extend it to be deployable on app engine. Help is very
appreciated.
Peter
Reply all
Reply to author
Forward
0 new messages