On May 15, 8:38 pm, meder <[email protected]> wrote:
> The problem with using session ID as XSRF token is that applications > mark session cookies as HttpOnly[1] to protect against cookie theft > via cross-site scripting (XSS) attacks. This means that client-side > code can't access the session ID value in a cookie. I was not aware of HttpOnly cookies. Making the web secure one patch after another, I guess. > Could you elaborate on which part of API do you find complex? If > server-side code was done correctly, client-side coding mistakes will > result in XSRF exception. The API has the necessary complexity if you need the additional shared- secret generator/regular cookie. What about real stateless applications without sessions, are you planning to provide an HMAC form-signature based solution? -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
