On Wed, Mar 2, 2011 at 1:48 PM, Kathiravan Tamilvanan <kat...@gmail.com>wrote:
> I am also looking for some recommendation for this. > > I have read this link > http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ > and > also wanted to implement the security with RequestFactory. But as the > article suggests, the session id should be sent on the payload of the > request instead of the cookie approach. > > The following questions come to my mind > > 1. Do we need to send the session id on each method on the RequestContext? > If so how do we validate this on the Server side? > IMO if a GET exposes sensitive data to the client then I would say it should. Also, if a request is a POST then I would say it should. For everything else it would depend on the nature of the application and the data. For instance, does the application fall under the guidelines of an industry's governance board like many financial applications and specifically those related to banking and the credit card industries. You can validate the session id by comparing it to the Session object's session id as follows (show in the context of a RemoteServiceServlet): HttpSession session = getThreadLocalRequest().getSession(true); String sid = session.getId(); if (!clientSid.equals(sid)) { throw new MyInvalidSessionException(); } MyInvalidSessionException is a custom exception class derived from Throwable and can be caught in the onFailure methods of each RPC call. > > 2. Does servlet filter help in validating the session before every request? > I am not really sure how to get the RequestContext session id parameter from > the servlet filter . Is it even right thinking? > Yes if you were to use the session id in the request header which isn't a good idea and no if you are using RPC because the filter will be called prior to the serialization of your payload forcing you to resort to bit twiddling with the request headers to get at it. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-toolkit@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > -- *Jeff Schwartz* http://jefftschwartz.appspot.com/ http://www.linkedin.com/in/jefftschwartz follow me on twitter: @jefftschwartz -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
