You don't need cookies. The FAQ actually tells you not to rely on cookie data Store the session ID somewhere as a GWT field and send it with the rest of your data
Ian http://examples.roughian.com 2008/10/26 Andrey <[EMAIL PROTECTED]> > > walden! > > I also don't get why we need cookies. > Can you please answer to this question? > Why don't we store session id in JS variable? > > On 1 окт, 15:44, walden <[EMAIL PROTECTED]> wrote: > > Hi nogridbag, > > > > You might just want to "begin at the beginning" and read the HTTP > > Basic and HTTP Digest specifications. These will give you an > > indication of what is already built into browsers and web server for > > solving the mainstream of authenciation requirements on the web in a > > way that is orthogonal to application logic (a good thing). Realize > > that the FAQ your read is part of a departure from those standards. > > Part of the cost of that departure is the complexity you have stumbled > > on. > > > > Walden > > > > On Sep 30, 11:22 pm, nogridbag <[EMAIL PROTECTED]> wrote: > > > > > Hi, I'm fairly new to web apps so I have a few basic questions about > > > handling the user's securesession. I read the article onlogin > > >securityhere: > > > > >http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecur. > .. > > > > > I understand everything up to the section "How to remember logins". > > > At the bottom of that section it states "Remember - you must never > > > rely on the sessionID sent to your server in the cookie header ; look > > > only at the sessionID that your GWT app sends explicitly in the > > > payload of messages to your server." > > > > > I've numbered the questions below: > > > > > 1) If we can't trust cookies, what's the point of using cookies at > > > all? If it's just so the browser UI "thinks" the user is logged in, > > > why not just store it in some local client side variable since GWT > > > applications are contained within a single page. > > > > > * Make RPC call with user/pass > > > * Server says pass = OK > > > * In User.java, call setLoggedIn(true) > > > > > 2) That leads me to my next question, how should the sessionID be > > > stored in the client? Do I just store it in some class, let's say > > > User.java as a String or whatnot in plain text? > > > > > 3) Then, in any RPC request that needs the user to be logged in, I > > > pass thissessionID along with the rest of the objects? > > > > > 4) How does the server then take this sessionId and authenticate it? > > > Is the approach the same whether I'm using Java/RPC with Tomcat or > > > JSON with php on an Apache server? Can you give an example (or a link > > > to a page the explains this?) > > > > > 5) Finally, is there any situation where you would store the username/ > > > pass on the client in order to authenticate each RPC call? If so, > > > what would be thesecurityimplications of this? > > > > > Thanks. I'm sorry for the basic questions. This is all fairly new to > > > me since my only experience with web appsecurityis academic and very > > > minimal. It's obviously something I don't want to get wrong :) > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
