Hi nogridbag, You might just want to "begin at the beginning" and read the HTTP Basic and HTTP Digest specifications. These will give you an indication of what is already built into browsers and web server for solving the mainstream of authenciation requirements on the web in a way that is orthogonal to application logic (a good thing). Realize that the FAQ your read is part of a departure from those standards. Part of the cost of that departure is the complexity you have stumbled on.
Walden On Sep 30, 11:22 pm, nogridbag <[EMAIL PROTECTED]> wrote: > Hi, I'm fairly new to web apps so I have a few basic questions about > handling the user's secure session. I read the article on login > security here: > > http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecur... > > I understand everything up to the section "How to remember logins". > At the bottom of that section it states "Remember - you must never > rely on the sessionID sent to your server in the cookie header ; look > only at the sessionID that your GWT app sends explicitly in the > payload of messages to your server." > > I've numbered the questions below: > > 1) If we can't trust cookies, what's the point of using cookies at > all? If it's just so the browser UI "thinks" the user is logged in, > why not just store it in some local client side variable since GWT > applications are contained within a single page. > > * Make RPC call with user/pass > * Server says pass = OK > * In User.java, call setLoggedIn(true) > > 2) That leads me to my next question, how should the sessionID be > stored in the client? Do I just store it in some class, let's say > User.java as a String or whatnot in plain text? > > 3) Then, in any RPC request that needs the user to be logged in, I > pass this session ID along with the rest of the objects? > > 4) How does the server then take this sessionId and authenticate it? > Is the approach the same whether I'm using Java/RPC with Tomcat or > JSON with php on an Apache server? Can you give an example (or a link > to a page the explains this?) > > 5) Finally, is there any situation where you would store the username/ > pass on the client in order to authenticate each RPC call? If so, > what would be the security implications of this? > > Thanks. I'm sorry for the basic questions. This is all fairly new to > me since my only experience with web app security is academic and very > minimal. It's obviously something I don't want to get wrong :) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
