Hi, I'm fairly new to web apps so I have a few basic questions about handling the user's secure session. I read the article on login security here:
http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ I understand everything up to the section "How to remember logins". At the bottom of that section it states "Remember - you must never rely on the sessionID sent to your server in the cookie header ; look only at the sessionID that your GWT app sends explicitly in the payload of messages to your server." I've numbered the questions below: 1) If we can't trust cookies, what's the point of using cookies at all? If it's just so the browser UI "thinks" the user is logged in, why not just store it in some local client side variable since GWT applications are contained within a single page. * Make RPC call with user/pass * Server says pass = OK * In User.java, call setLoggedIn(true) 2) That leads me to my next question, how should the sessionID be stored in the client? Do I just store it in some class, let's say User.java as a String or whatnot in plain text? 3) Then, in any RPC request that needs the user to be logged in, I pass this session ID along with the rest of the objects? 4) How does the server then take this sessionId and authenticate it? Is the approach the same whether I'm using Java/RPC with Tomcat or JSON with php on an Apache server? Can you give an example (or a link to a page the explains this?) 5) Finally, is there any situation where you would store the username/ pass on the client in order to authenticate each RPC call? If so, what would be the security implications of this? Thanks. I'm sorry for the basic questions. This is all fairly new to me since my only experience with web app security is academic and very minimal. It's obviously something I don't want to get wrong :) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---