Creating/managing sessions for different users using DWR

Hello David and Mike,

 I was talking about DWR's scriptsession. I also went through the post where MK had a similar problem. I am not able to solve the issue using URL rewriting:

<script type='text/javascript' src='<%= response.encodeURL("/dwr/<DWR JS Name>.js")%>'></script>

The attributes set returns a value null on the subsequent DWR calls.

My objective is to save the 2 parameters corresponding to a user after a login is validated. I am currently using ScriptSession.setAttribute(<attribute>,<attribute value>). The client is logging in from a different domain and the server exists in a different one (cross-domain). How can I use these attributes set for every subsequent DWR call by the client. 

Thank you.

Yes, I am seeing this and also understand that it is as expected. But what would be an optimal solution for my problem? HttpSessions? Can you give me an outline of how I can get this to work?

Thank you for being patient with my amateur questions :)

On Jan 23, 2012, at 11:44 PM, Mike Wilson wrote:

The expected behaviour is that all calls from the same page ("document instance") will use the same ScriptSession on the server. So, if you load a page in the browser and it makes three DWR calls they should all see the same ScriptSession, but if you then refresh or navigate to a new page, you will be connected to a new ScriptSession with no association to the old one.

Is this what you are seeing?

 

Best regards

Mike

 

Shravan Shetty wrote:

Hello David and Mike,

 I was talking about DWR's scriptsession. I also went through the post where MK had a similar problem. I am not able to solve the issue using URL rewriting:

<script type='text/javascript' src='<%= response.encodeURL("/dwr/<DWR JS Name>.js")%>'></script>

The attributes set returns a value null on the subsequent DWR calls.

My objective is to save the 2 parameters corresponding to a user after a login is validated. I am currently using ScriptSession.setAttribute(<attribute>,<attribute value>). The client is logging in from a different domain and the server exists in a different one (cross-domain). How can I use these attributes set for every subsequent DWR call by the client. 

Thank you.

Hello Mike,

I am developing a web application where the client logs in from a different domain to my (server) domain (both with its own servlet container, hence making it cross domain). At valid log on, I want to manage any user's session at the server. My intention is now is to set few attributes after login so that all subsequent calls from that client via a DWR call can be validated based on these attributes. I do not manage any sessions at the Client domain, because this is something that I will not have control in the future too. I want to control all sessions only at the Server.

Pictorially it is something like: Client1 --->  Server  <--- Client2. Based on the login credentials I want to limit any Client's future request to the Server. 

What I currently have is a new session running (per page) for each DWR request. How do I persist the session attributes?

Thank you.

On 24 January 2012 09:53, Mike Wilson <[hidden email]> wrote:

Ok, good.

DWR is at mercy of the rules set up by web browsers and HTTP standards so much of what you can do is standard web app stuff and not specifically related to DWR. Anyway, if you provide a more detailed sketch of the different pages, domains and servers that you have (just make up example names if you want) then I might be able to point out some directions.

 

Best regards

Mike

 

Shravan Shetty wrote:

Yes, I am seeing this and also understand that it is as expected. But what would be an optimal solution for my problem? HttpSessions? Can you give me an outline of how I can get this to work?

Thank you for being patient with my amateur questions :)

On Jan 23, 2012, at 11:44 PM, Mike Wilson wrote:

The expected behaviour is that all calls from the same page ("document instance") will use the same ScriptSession on the server. So, if you load a page in the browser and it makes three DWR calls they should all see the same ScriptSession, but if you then refresh or navigate to a new page, you will be connected to a new ScriptSession with no association to the old one.

Is this what you are seeing?

 

Best regards

Mike

 

Shravan Shetty wrote:

Hello David and Mike,

 I was talking about DWR's scriptsession. I also went through the post where MK had a similar problem. I am not able to solve the issue using URL rewriting:

<script type='text/javascript' src='<%= response.encodeURL("/dwr/<DWR JS Name>.js")%>'></script>

The attributes set returns a value null on the subsequent DWR calls.

My objective is to save the 2 parameters corresponding to a user after a login is validated. I am currently using ScriptSession.setAttribute(<attribute>,<attribute value>). The client is logging in from a different domain and the server exists in a different one (cross-domain). How can I use these attributes set for every subsequent DWR call by the client. 

Thank you.

--
Regards,
Shravan

Thank you Mike. Great explanation. I will try it out and let you know how it goes. If I understood correct, the second option you suggested about client side token persistence can (to a large extent) mitigate CSRF attacks? 

Thank you again. I will update you on my progress in a day's time. 

On 24 January 2012 12:45, Mike Wilson <[hidden email]> wrote:

Ok, here goes. You want to persist the logged-in user on your DWR API between page loads on the foreign-domain client site.

Standard webapp rules say that to persist a state between page loads, we need to either send it to the server at navigation (GET or POST parameter) so the server can send it back to us in the next page, or to save it as a cookie managed by the browser.

 

There are two main solutions that you can consider, see below. There are many variations that can be made on these two themes, so I recommend that you use them as a basis for further exploring and learning about webapps, and not as the "only" ways possible.

 

PERSIST HTTPSESSION ON YOUR SERVER

 

Outline:

 

client.com/page.html

    Remote.login(user, password)

    Remote.doStuff()

        |

        | (cookie for server.com:JSESSIONID=...)

        |

        V

server.com/dwr/*

    class Remote

        public void login(String user, String password, HttpSession sess)

            if (loginOk) sess.setAttribute("validUserId", ...)

        public void doStuff(HttpSession sess)

            userId = sess.getAttribute("validUserId");

            if (userId != "") do stuff ...

 

Here we set up a session between the client browser and the server, and it will use a cookie to remember which browser is connected to which session. Note that a cross-domain setup like yours will allow any site to participate in this session and you will be subject to CSRF attacks. You can mitigate this to some degree by using the "Referer" header to partition the "session" into different parts for the different client sites.

(Note: the HttpSession parameter is automatically filled in by DWR, see http://directwebremoting.org/dwr/documentation/server/javaapi.html)

 

USE YOUR OWN LOGIN TOKEN PERSISTED BY THE CLIENT

 

Outline:

 

client.com/page.html

    var token

    Remote.login(user, password, function(returnValue){token=returnValue})

    Remote.doStuff(token)

        |

        |

        V

server.com/dwr/*

    class Remote

        public String login(String user, String password)

            return (loginOk ? generateToken(mySession) : "")

        public void doStuff(String token)

            mySession = checkToken(token)

            if (mySession != null) do stuff ...

 

Here you basically set up your own session mechanism on your server, and generate hard-to-guess identifiers (tokens) for them. The token is returned to the client on successful login, and you then require the client to pass this token in every call to your DWR-remoted methods.

It will then be up to the client site to persist this token between page loads, and this could either be done through a cookie on the client site or through parameters (GET or POST) passed between client pages on navigation.

 

Best regards

Mike

 

Shravan Shetty wrote:

Hello Mike,

I am developing a web application where the client logs in from a different domain to my (server) domain (both with its own servlet container, hence making it cross domain). At valid log on, I want to manage any user's session at the server. My intention is now is to set few attributes after login so that all subsequent calls from that client via a DWR call can be validated based on these attributes. I do not manage any sessions at the Client domain, because this is something that I will not have control in the future too. I want to control all sessions only at the Server.

Pictorially it is something like: Client1 --->  Server  <--- Client2. Based on the login credentials I want to limit any Client's future request to the Server. 

What I currently have is a new session running (per page) for each DWR request. How do I persist the session attributes?

Thank you.

On 24 January 2012 09:53, Mike Wilson <[hidden email]> wrote:

Ok, good.

DWR is at mercy of the rules set up by web browsers and HTTP standards so much of what you can do is standard web app stuff and not specifically related to DWR. Anyway, if you provide a more detailed sketch of the different pages, domains and servers that you have (just make up example names if you want) then I might be able to point out some directions.

 

Best regards

Mike

 

Shravan Shetty wrote:

Yes, I am seeing this and also understand that it is as expected. But what would be an optimal solution for my problem? HttpSessions? Can you give me an outline of how I can get this to work?

Thank you for being patient with my amateur questions :)

On Jan 23, 2012, at 11:44 PM, Mike Wilson wrote:

The expected behaviour is that all calls from the same page ("document instance") will use the same ScriptSession on the server. So, if you load a page in the browser and it makes three DWR calls they should all see the same ScriptSession, but if you then refresh or navigate to a new page, you will be connected to a new ScriptSession with no association to the old one.

Is this what you are seeing?

 

Best regards

Mike

 

Shravan Shetty wrote:

Hello David and Mike,

 I was talking about DWR's scriptsession. I also went through the post where MK had a similar problem. I am not able to solve the issue using URL rewriting:

<script type='text/javascript' src='<%= response.encodeURL("/dwr/<DWR JS Name>.js")%>'></script>

The attributes set returns a value null on the subsequent DWR calls.

My objective is to save the 2 parameters corresponding to a user after a login is validated. I am currently using ScriptSession.setAttribute(<attribute>,<attribute value>). The client is logging in from a different domain and the server exists in a different one (cross-domain). How can I use these attributes set for every subsequent DWR call by the client. 

Thank you.

--
Regards,
Shravan

--
Regards,
Shravan