And the answer to #1 is 'there is no difference' if you do it that way - but you shouldn't be getting it from a cookie at all, you should be storing it in the app. It's pretty obvious that if you get it from the cookie, someone can replace the cookie; if you store it in the app, replacing the cookie won't change the app's copy, and the mismatch will alert you to the fact that someone is f****** about. Ian
http://examples.roughian.com 2008/12/29 mikedshaf...@gmail.com <mikedshaf...@gmail.com> > > I can answer the 2nd the fastest. It does make sense to have Tomcat > or whatever server handle things, until you have a multi-server > cluster. Then typical session management ideals are tossed out the > window. > > On Dec 29, 7:10 am, akutz <sak...@gmail.com> wrote: > > Per the Login Security FAQ (http://code.google.com/p/google-web- > > toolkit-incubator/wiki/LoginSecurityFAQ) I have a few questions: > > > > 1) We're storing the SID in a client-side cookie and then the GWT app > > is grabbing that and sending it to the server with each RPC request. > > How is that any different than getting the SID from the cookie on the > > server side? Theoretically if an attacker can replace the cookie, then > > wouldn't the GWT portion of the code that reads the cookie to send it > > along with the RPC request pick up the replaced cookie anyway? > > > > 2) What is wrong with simply relying on the normal Tomcat (et al) > > method of handling sessions? Perhaps I simply wish to store some > > information once the client has logged in via an authentication back- > > end that I do not control. Why do I need to send the SID along with > > each request? The client and server already automagically connect each > > incoming client request with the correct session bag (or I thought > > this happened). > > > > Thank you for your time! > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---