Hi Juan, Your login flow is correct.
The discussion about sending a session ID in the payload (vs. just a cookie, which the browser sends automatically in HTTP headers) is to prevent XSRF attacks. You can find more info here: http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) http://code.google.com/webtoolkit/articles/security_for_gwt_applications.html#xsrf HTH, /dmc On Sat, Mar 5, 2011 at 7:44 AM, JuanFernandez <[email protected]>wrote: > After reading a lot about this topic, I have the following questiong. > > My scenario is a login page (user/psw) and then depending on the user > role, he can navigate/view some panels or others. > > Is this log-in flux correct?: > 1-Client sends usr/psw > 2-Server verifies it an if it is correct, load the object which > contains user id and privileges (called "SessionData") and save in > session: > > this.getThreadLocalRequest().getSession(true).setAttribute(SessionData.USER_INFO, > new SessionData(d)); > 3-The server returns the object "SessionData" to the client. > > > Now, as the client saves the object like a singleton which can be > accesed by all the Composites, I know what I have to show to the user. > Is this correct? > > My second question is, at the time of making RPC calls to the server, > why it is not secure to identify the client by: > this.getThreadLocalRequest().getSession()? > I have read that it is necessary to send the session id in the payload > of the call, but I do not know why. Is becouse when the server does > "this.getThreadLocalRequest().getSession()" it takes the session from > cookies? The solution is to send the session id in the payload of the > call and compare it in the server? If I use SSL, is also necessary to > send the session ID in the payload? > > Thank you all in advance for your answers, I hope I can understand > this. > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- David Chandler Developer Programs Engineer, Google Web Toolkit w: http://code.google.com/ b: http://googlewebtoolkit.blogspot.com/ t: @googledevtools -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
