You contradict yourself (compare the HttpSession's ID with the auth token –the HttpSession is maintained by a cookie, whose value generally is the session's ID– vs. do not send the auth token in a cookie), but that's not the problem.
The problem is: how are you initializing the auth token on the client side, and how you associate it with the user on the server-side? The client and server have to share some knowledge at some point, and if you have use "form based" authentication on another web page (i.e. your app's host page is protected and cannot be accessed without being authenticated), then the only way (not accurate, but that's how 99.999% of auth is done, because the alternative comes with a UX penalty) to "transfer" the authentication from the login page to the app's page is to use either a cookie or pass a unique token in the URL, both of which can be hijacked. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
