GWT: Problem with application's architecture

I'm in little trouble with designing GWT application. I am trying to develope RIA 开发者_JS百科app (with just one main widget, lets call it Main). First, user must be logged. Here's my way to do that, but it does have a problem, you'll see.

1. Show login components on root panel
2. If login was successfull (checks database), show Main widget
3. Widget is added to root panel

Everything works, but when you press Refresh it shows again login components ... It all happens in onModuleLoad method.

How should I redesign this logic? I'd like to let user logged (that means RootPanel will hold Main widget) for certain amount of time.

http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ

How to remember logins

Our login system so far misses a useful feature: For now it requires users to log in again every time.

We can use Cookies to allow the user's web browser to 'remember' the login. In GWT, to set the cookie (which you'd do right after your GWT code receives the response as we did in the previous code fragment):

String sessionID = /*(Get sessionID from server's response to your login request.)*/;
final long DURATION = 1000 * 60 * 60 * 24 * 14; //duration remembering login. 2 weeks in this example.
Date expires = new Date(System.currentTimeMillis() + DURATION);
Cookies.setCookie("sid", sessionID, expires, null, "/", false);

Now you can run the following code right after your !EntryPoint begins execution:

String sessionID = Cookies.getCookie("sid");
if ( sessionID != null ) checkWithServerIfSessionIdIsStillLegal();
else displayLoginBox();

Remember - you must never rely on the sessionID sent to your server in the cookie header ; look only at the sessionID that your GWT app sends explicitly in the payload of messages to your server.

I'm not sure what how your GWT app implemented communication with the login service, but if you want to see another example, I followed the example here:

http://code.google.com/webtoolkit/doc/latest/tutorial/appengine.html#user

While it uses the Google App Engine as the backend authentication service, I think it's generic enough to be adapted to any server that supports the GWT RPC server side and has authentication services.

You need some kind of server-side support to do it.

For example, when user logs in, mark it in the server-side session. In onModuleLoad(), call the server to check whether user is logged in before showing the login form.

Other problems related to pressing Refresh can be solved with history tokens.