> Perhaps I'm missing something, but isn't this just security through > obscurity. You've raised the bar to some extent, but presumably > you're storing that security token in some sort of client variable, > can't the injected code then just access that same variable too once > the attacker figures out where to look for it?
thats right. but its impossible to hijack the session itself. > andi -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
