Hi, I guess you refer to
http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ quite frankly, this document does not convince me at all. I see the following attack vectors a) just reading unsecured tcp. this will give you account and password in plain text. Solution: always use https. This will always protected your application data. b) CSRF (XSRF). A link of a different page in your browser will pass the session cookie, too. (does not happen when url-rewriting is in place). Solution 1) newest GWT give you protection as passing the strong name, too, as an additional header. The GWT servlet checks this. At the moment I do not see a possibility for CSRF to pass the header, too. If this is true, this attack vector does no more apply with GWT-RPC. Solution 2) However, GWT could pass back the session id back as a additional header, too. Only the own application has access to the session cookie or url- rewriting (query parameters). At the moment I think, both method have the same increase of security. Doing both does not really increase security In the end, you just have to use https. The rest will given to you with the newest GWT release. I do not see the need to pass explicity the session id between client and server However, on server side you should apply common techniques. 1) only put hashed passwords into a database. The use JBCrypt might be useful if you intend to build multiple application with different languages on that database. Otherwise I dont see why not using MessageDigest. 2) always check whether your session has logged in 3) always check whether your user has still access rights (may be dropped meanwhile) Check getThreadLocalRequest() to get access to HttpSession This blog may also useful http://development.lombardi.com/?p=1351 Stefan Bachert http://gwtworld.de On 14 Jul., 11:04, Torch <[email protected]> wrote: > The LoginSecurity FAQ says we must always send the session ID in the > RCP. I am using the standard servlet sessions. After login I send the > session ID back to the client. In subsequent RPCs the client sends the > session ID as an RPC parameter. But how do I get the session object in > the servlet using the session ID in the RCP? There is no function like > getSession(id). -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
