as I interpret this article:
http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications
then you should do 2 things:
store the session-id in a cookie on the client side + include the
session-id in every RPC call (to prevent XSFR)
and if you call a custom servlet from your application (e.g. we need
this to upload files), you should also include a hidden field with a
copy of the session-id.
anyone please correct me, if that's wrong
On Jun 11, 12:35 pm, Paul Robinson <ukcue...@gmail.com> wrote:
> If you store the session ID in a cookie so that user logins can persist
> beyond browser refreshes (as suggested in the FAQ), then the session ID
> will end up in the header anyway.
>
> eags wrote:
> > I am implementing user logins and authentication using the model
> > presented in the login security FAQ. In particular I plan on manually
> > maintaining a table of {sessionID,User,timeout} values for each active
> > session and not using the normal servlet session functionality.
>
> > So, my question is, where do I get the ID that is returned to the
> > client? I know that I can get one from the servlet session using
> > HttpServletRequest.getSession().getid() but it seems like I could just
> > use any randomly generated key right? And maybe I if face should not
> > use that technique because that sessionID is also in the header where
> > it can be easily snooped right? So, what is a good technique for
> > generating the sessionID? To avoid duplicates I would just check the
> > sessionID table before returning the sessionID to the client and if it
> > is already in use I just call generateSessionID() again. So my
> > question is what should getSessionID() look like?
>
> > I realize the recommended approach in the LoginSecurityFAQ is
> > controversial and I've already read all that debate so I'm not really
> > interested in more of that. I just need specific help regarding these
> > questions assuming I am doing what is recommended in the FAQ.
>
> > Thanks in advance for any help.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to Google-Web-Toolkit@googlegroups.com
To unsubscribe from this group, send email to
google-web-toolkit+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/Google-Web-Toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
