Hey everyone, thanks for the big replies. There is a lot of info in there, but I still have some questions.
I understand that Mallory will always be a problem and that Eve might be one, however, defeating them is not part of what I want to do. The only thing I want to guard against are XSRF attacks. I understand that to prevent these I must put some identifier (let's use sessionID) and store it in a cookie to survive browser reload and I must pass it inside my GWT RPC request and not rely on the cookie in the header. So far so good, this is exactly what I am implementing right now. Gregor suggested that I create an interface that would extend the RemoteService, this is along the lines of what I was thinking as it would make the whole XSRF system transparent to the programmer, I have also understood from the later posts between you and Reinier that the visibility of the actual sessionID on the wire is not a problem here, so is there any substantial objection to use this approach? Shawn suggested I use his implementation with JSON, however, I have read the readme and the fact that exceptions are not thrown over the line is too big of a drawback for me as I use these in the app already. Reiner, you really seem to know your stuff, thank you for your clarifying posts and your enjoyable cynical take on the world. I think I understand what you are saying. Last question, would using SSL (which will be implemented on the server within a week or two) also prevent XSRF? From what I have read, I cannot draw a conclusion one way or the other. With thanks, Patrick --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
