1. You are doing some kind of encryption of passwords on the client side.
Its a big mistake. Its easy to figure out how its being encrypted/hashed.
In your case, the secret key is
L87Y9*(yOFDMrsn};W/.XEPvSt]{uwl~,ozi34jQmT:@Rd)CZae2k|=6^I_+AG-[x01HBNpqUb?cJKV5fgh.
The exact algorithm used for encryption is also extractable, just needs half
an hour of determination.
2. Not using SSL/TLS is another big mistake. It is trivial for anybody to
see the traffic an extract the password. Your custom password encryption
algo (in 1 above) is not going to help at all.
3. I can't tell how you are storing passwords on the server side, but you
must salt and hash your passwords. They must not be stored in a recoverable
form. Also, use a strong hash function (SHA-1, for example). MD5 is broken,
don't use it. And please do not create your own hash function, its not worth
it.
4. Why do you have a RPC method getSessionID()? You don't need the
sessionid in client side code. Just stick to the default session id that
your application server provides. If you want to read the session
identifier, pick it up from the cookie
5. I see there is a javascript check to see if the user is logged in or
not. I hope you are doing it on the server side as well... Its useless to do
the check on client side.
To summarize - please don't build authentication/authorization yourself. Its
far easier and secure to use a framework. Once you get the basics right, go
through the Security for GWT
paper<http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications>for
additional information.
--Sri
On 27 April 2010 07:08, John V Denley <[email protected]> wrote:
> Ive just created an application as part of a learning experience about
> security with GWT/GAE
>
> This has prooved necessary after discovering that using google account
> logins is unacceptably complex for our potential clients, and as there
> are no plans within google for a tighter integration with GWT/GAE I
> have had to do it myself.
>
> I know that I am not using SSL/HTTPS and that probably means im very
> vulnerable to man in the middle (eve) attacks? but I dont know how to
> test exactly HOW easy it is to crack, or if its even anything i reall
> need to worry about!
>
> www.ucanzoom.appspot.com
>
> Happy to hear any feedback
>
> Thanks,
> John
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google Web Toolkit" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected]<google-web-toolkit%[email protected]>
> .
> For more options, visit this group at
> http://groups.google.com/group/google-web-toolkit?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en.
