You can get a user session with gwt. The standard GWT RPC Servlet „RemoteServiceServlet“ extends the HttpServlet. All you need to do, is to get access to that session. Serializable requiredYou can only store objects, that implements the serializable Interface

// create session and store userid
HttpServletRequest request = this.getThreadLocalRequest();
//true will create a new session if it not yet exists
HttpSession session = request.getSession(true);
session.setAttribute("UserID", 1);

HttpServletRequest request = this.getThreadLocalRequest();
// dont create a new one -> false
HttpSession session = request.getSession(false);
if (session == null)
	return;
// do some logout stuff ...
//destroy the session
session.invalidate();

HttpServletRequest request = this.getThreadLocalRequest();
// dont create a new one -> false
HttpSession session = request.getSession(false);
if (session == null || session.getAttribute("UserID") == null)
	return null;
//do something with the value
Integer userID = (Integer) session.getAttribute("UserID") 
return userID;

The session always returns an Object that you must explicitly cast …

And now the whole Servlet Code example:

package de.umingo.example.login.server;
 
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
 
import com.google.gwt.user.server.rpc.RemoteServiceServlet;
 
import de.umingo.example.login.client.LoginService;
import de.umingo.example.login.shared.FieldVerifier;
 
/**
 * The server side implementation of the RPC service.
 */
@SuppressWarnings("serial")
public class LoginServiceImpl extends RemoteServiceServlet implements LoginService {
 
	public String login(String name, String password) throws IllegalArgumentException {
		// Verify that the input is valid.
		if (!FieldVerifier.isValidName(name)) {
			throw new IllegalArgumentException("Name must be at least 4 characters long");
		}
 
		// Escape data from the client to avoid cross-site script
		// vulnerabilities.
		name = escapeHtml(name);
		password = escapeHtml(password);
 
		if (!"test".equals(name) || !"testpw".equals(password)) {
			throw new IllegalArgumentException("Nick/Password is not matching");
		}
 
		// create session and store userid
		HttpServletRequest request = this.getThreadLocalRequest();
		HttpSession session = request.getSession(true);
		session.setAttribute("UserID", 1);
		return session.getId();
	}
 
 
	@Override
	public boolean checkLogin() {
 
		HttpServletRequest request = this.getThreadLocalRequest();
		// dont create a new one -> false
		HttpSession session = request.getSession(false);
		if (session == null || session.getAttribute("UserID") == null)
			return false;
		// session and userid is available, looks like user is logged in.
		return true;
	}
 
	@Override
	public void logout() {
 
		HttpServletRequest request = this.getThreadLocalRequest();
		// dont create a new one -> false
		HttpSession session = request.getSession(false);
		if (session == null)
			return;
		// do some logout stuff ...
		session.invalidate();
	}
 
 
	/**
	 * Escape an html string. Escaping data received from the client helps to
	 * prevent cross-site script vulnerabilities.
	 * 
	 * @param html
	 *            the html string to escape
	 * @return the escaped string
	 */
	private String escapeHtml(String html) {
		if (html == null) {
			return null;
		}
		return html.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;");
	}
}