Max - With regards to point 1 I did consider it but it isn't feasible to use SSL for the entire website when large amounts of data is being sent to/from the server. Most of the data being received from the server is in JSON format, which although it is less verbose than XML it does include other pieces of data that hasn't been requested from the website (client).
All of the received data comes from a DB as row(s). If a row contains a foreign key then the referred row (by the key) is automatically included instead of the key in a JSON file. This is automatically done by the server, no changes were made to do this. You can imagine just how much data is included if there is more than one foreign key, and this automatically scales up recursively if the included row also contains a foreign key. > 1. Have you considered using TLS/SSL for your complete application? Without > that a MITM would still be able to sniff the session cookie and act on > behalf of the user, sniff users' data, modify data on the way between server > and client and so on. > > 2. If you really really want to use TLS only for login purposes I recommend > you redirect users to a simple login page using https and after logging in > redirecting them back to the http version fo your app. > > HTH > Max -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
