Search code examples
gwtbrowser-historysession-management

GWT- History Management for web application

I am working on History management for my application. I have two views, one is login and the other is main application. I have added local links #login and #application. Now ideally what should happen is, when the user opens the application he should see the login view which has #login token. It works fine. Then when his credentials are validated he goes to application view with token #application. And when he logs out he goes back to #login. All this works fine. But what bothers me is when I change the link token from #login to #application manually, the main application opens directly even after I have logged out. But when I try the same thing in a new tab, it works fine. The application is vulnerable to attacks which needs to be fixed. I need some help here. 

    //When application loads
    History.newItem("application",true);           
    //When login screen loads //     
    History.newItem("login",true); 

    //On change
    History.addValueChangeHandler(new ValueChangeHandler<String>(){   

        @Override     
        public void onValueChange(ValueChangeEvent<String> event) { 
            String historyToken   = event.getValue(); 
            if (historyToken.substring(0, 5).equals("login")) {
                login();   
            }
            if (historyToken.substring(0, 11).equals("application")) {
                     mainApplicationView();    
            }
     });

When I logout, login() method is called which loads relevant panels into RootPanel and also has #login token inside. Also, the main application panels are removed from rootpanel.

Solution

  • The mistake was inside second if condition:

        History.addValueChangeHandler(new ValueChangeHandler<String>(){   

            @Override     
            public void onValueChange(ValueChangeEvent<String> event) { 
                String historyToken   = event.getValue(); 
                if (historyToken.substring(0, 5).equals("login")) {
                    login();   
                }
                if (historyToken.substring(0, 11).equals("application")) {
                    startApplication(); //it will again check if the session is valid. If not, login screen will show up. Else mainApplication.
                }
    });

    After I logout, it should not allow me to see the application page in any case. So, I should make sure that sessionID is valid. I did it only once when the application start but not under History.addChangeHandler. This was a blunder.

        String sessionID = Cookies.getCookie("JSESSIONID");
    if(sessionID == null) {
        login();
    } else {
        checkWithServer();
    }