Hey everyone, thanks a bunch for all the replies again. Replies inline and questions at the end.
Gregor, with everything that I have heard thus far, that Command pattern is looking better and better, even though it will still be a lot of work to properly implement. jhulford, from what I understand, cookies are sent in the header as well and that is whole reason they are vulnerable to XSRF, so setting some header would seem to me like not to solve the problem. Your second post was very useful, I had not seen the second article with all the info and it gave me a lot to think about. Thanks. quentin, what I am trying to is explained in the end of my post here, perhaps reading it will make sense to you then. Reiner, thanks once again for brightening the start of my workday with the notion that someone else on this planet can explain things to people with even more sarcasm then I can. :) Your post is the one that really got me a bit down though. What you say is that you see no feasable way to do what I am trying to do, and as Gregor said, you seem to know your stuff, and I therefore seem to slowly lose hope in succeeding quickly with this. To everyone: We have discussed the pro's and con's of many methods now, but let's try to focus on what I initially was trying to ask. :) I am trying to make something that will AUTOMATICALLY add a sessionID into the PAYLOAD of ANY RPC call sent in my app. This sessionID will AUTOMATICALLY be checked server side, and if okay it will be stripped. The result would ideally be that by extending two different classes (one server side and one client side) the programmer would have full XSRF protection without modifying ANYTHING else in his code. Server side this can be done by subclassing the RemoteServiceServlet and overriding the processCall method, I have done this. My problem is that I really cannot find what I should capture or extend on the client side. I have this vague feeling that is because this is all to deeply hidden away in the GWT itself, but I cannot verify this in any way. I really hope that we can fix this and that our solution will help every programmer that has not thought about XSRF with his or her GWT app to make their app secure with minimal effort. (like me, I guess ;) Patrick --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
