In order to prevent XSRF, I implement session handling in GWT this way: 1. If a sessionID is stored in the cookie, send it to the server in the RPC payload and check if it's still valid. 2. If not, show login window. User enters username/password, both are sent to the server. 3. The server checks if the user exists. If so, I generate a SessionID using UUID.randomUUID.toString and pass it back to the client. 4. The client stores it in a cookie, sending it to the server with each request (in the payload).
Is is okay to completely ignore the sessionID within the cookie header? I've also seen an alternative solution where the cookie's sessionID is also aditionally sent within each request and then both are tested for equality. Which of the two solutions is better? -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
