Thanks for your reply. I have not sent sessID from from the client to the server. After receiving the username and password from the client, the server responses by replying the acctId and the cookie with session id. Then all the client requests rely on the acctId.
--- On Mon, 4/4/11, Paul Robinson <[email protected]> wrote: > From: Paul Robinson <[email protected]> > Subject: Re: authentication question > To: [email protected] > Date: Monday, April 4, 2011, 5:14 PM > As explained here: > http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ > > you should not rely on using cookies to send the session id > from the client to the server. It's not clear from your code > whether this is what you're going to do. > > Paul > > On 04/04/11 00:49, Leung wrote: > > Hi, > > > > I am not sure do my plan for authentication is safe. > Pls point out my mistake. > > > > I use RPC to handle the login request. After verifying > the user name and password from client request, the server > replies by sending back the acctId and cookie with session > id. So the widgets on the client side use the acctId to > retrieve the acct specific info by RPC. > > > > Server code > > > > int ret = > accountdao.validateAccount(_email, _passwd); > > if(ret==0) > > { > > > //login success - return a cookie to the > client > > > String sessId = > this.getThreadLocalRequest().getSession().getId(); > > > final long DURATION = 1000 * 60 * 60 * 24 > * 14; //duration remembering login. 2 weeks in this > example. > > > Date expires = new > Date(System.currentTimeMillis() + DURATION); > > > Cookie cookie = new > Cookie("sid",sessId); > > > cookie.setPath("/"); > > > > this.getThreadLocalResponse().addCookie(cookie); > > > Account tmpAcct = > accountdao.getAccount(_email, _passwd); > > > return tmpAcct.getOid(); > > } > > > > Thanks a lot > > > > -- > You received this message because you are subscribed to the > Google Groups "Google Web Toolkit" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
