I have a question about the "XSRF" protection. I've implemented this by using a requestFilter which filters for the "nocache.js" file and sets a "sid" cookie with the session id as the value. Then for each RPC call I send the value of the "sid" cookie as a get parameter. When the session is active this works great. The issue I have is when the session expires, or invalid for some reason. Currently this is reporting a false "XSRF" attack since the sid no longer matches the session id on the server.
If the sid is based off the session Id (or anything that changes over time), how might it get updated when the session id gets invalidated? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
