On Fri, Feb 25, 2011 at 12:30 PM, Thomas Broyer <[email protected]> wrote:
> You contradict yourself (compare the HttpSession's ID with the auth token > –the HttpSession is maintained by a cookie, whose value generally is the > session's ID– vs. do not send the auth token in a cookie), but that's not > the problem. Actually I am not contradicting myself, Thomas. You just failed to understand! > > The problem is: how are you initializing the auth token on the client side, > and how you associate it with the user on the server-side? The client and > server have to share some knowledge at some point, and if you have use "form > based" authentication on another web page (i.e. your app's host page is > protected and cannot be accessed without being authenticated), then the only > way (not accurate, but that's how 99.999% of auth is done, because the > alternative comes with a UX penalty) to "transfer" the authentication from > the login page to the app's page is to use either a cookie or pass a unique > token in the URL, both of which can be hijacked. > If the user is authenticated the authentication process should then send down the HttpSession id as part of the payload back to the client. The client then stores the session id it receives as part of the payload from the server as a local cookie. Encryption can even be applied on the server for extra security as it's value has no real meaning to the client, only that it needs to include it in each payload to the server. > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > -- *Jeff Schwartz* http://jefftschwartz.appspot.com/ http://www.linkedin.com/in/jefftschwartz follow me on twitter: @jefftschwartz -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
