Hi Dor, solution for your problem is well described here: http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
"Remember - you must never rely on the sessionID sent to your server in the cookie header ; look only at the sessionID that your GWT app sends explicitly in the payload of messages to your server." this principles are implemented in the acris project. Take a look on the wiki pages: http://code.google.com/p/acris/wiki/Security you can ispire from the showcase as well: http://acris.googlecode.com/svn/trunk/acris-showcase/acris-showcase-security/ Peter On 18. Aug, 08:41 h., Dor <[email protected]> wrote: > Hi Jeff, > > First of all thanks for your answer, > Second, > > A. I am not using gwt for login process but PHP one. > B. Agreed and being used. > C. Since i don't have maximum session time (do have that when my > application is idle) i can't use this kind of solution. > D. Storing ip may resolve in other problems like: User came and login, > i stored his ip, suddenly his browser crashed, he opens it again: it > may contain the same session id or not but it surely contains his same > ip. > He will try to connect and i will block him. So he will have to > wait for my session time out server side definition to expire before > he will be able to login again. This solution is kind of risky in a > business manners. > E. Delete his volatile in logout is good, but if he crashed that > won't work and may lead to other edge cases i am not aware now. > > It's clear that solution should be done on server side. > > Any other solutions or ideas ? > > Regards, > Dor -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
