Of course! I didn't mean to imply that you shouldn't secure your app, but honestly if someone succeeds in hijacking your session, then he could possibly do it before loading the host page, so that your GWT app will run with the hijacked session, and the "auth token in the request payload" won't be of any help.
-- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
