On 8 sep, 05:02, harimack <[EMAIL PROTECTED]> wrote: > Hi All, > > i am a new to Security, i am using GWT-RPC for login, i read the GWT > LoginFAQ, and see that they are recommending using GWT-RPC for login, > but my concern is, how secure is GWT-RPC over the wire, if some one is > sniffing, is the data protected over the wire ?.
GWT-RPC, if you call a "login(username, password)" method is not less secure than using a form with username and password fields, or using "HTTP Basic" authentication: everything is sent as-is, unprotected. If you really care, use HTTPS. Eventually, you could try to compute a hash client-side, based on e.g. the date/time and send it to the server (along with the date/time, so the server can check the hash *and* check it's not too old --which would prove it's a replay attack--). ...or you could ask the server a "nonce" (that the server knows when it has been created, so it can stop replay attacks as above) instead of using date/time (advantage: the nonce is independant of the client: in case the client's clock is wrong, a date/time could prevent him logging in without him being an attacker). > Can you please let me > know how would you approach login if you were using GWT-RPC. - use HTTPS to prevent sniffing - or use HTTP Digest to authenticate the "host page", generated dynamically to include an auth ticket within a JS object, accessed from GWT as a Dictionary (the idea here is to put authentication out of the scope of your GWT app, so you can change it later without much changes to your client-side code; HTTPS with client certificate to authenticate the client falls in this category) - or send everything on the clear, and hope nobody sniffs... (beware of session expiration: whether you want automatic signing-out or not, and how to handle such a sign-off --is the session reinitialized, loosing unsaved changes?-- means different choices... -- namely: choose whether your auth code is within your GWT app, or outside; your app considering it only runs in an authenticated "environment"--) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
