I am investigating security considerations around the user login for a GWT application in respect of the following strategy:
- User enters their id and password in a dialogue; - Client transmits the login request with the above details to the server using RPC; - Server returns a token unique to the client. The client stores this in a cookie such that if they press F5 to reload the application, or navigate away and come back, they do not need to login again (within a timeout period); - On every request the client sends to the server, the token is included in the payload of the request to authenticate the request; There are some obvious flaws in this approach: - The "Eve" type hacker listening on the network can intercept the plain text userid and password and reuse them directly in their client; - If someone gains physical access to the original users computer, can they lift the server token from the cookie and use the token on the their computer to impersonate the original user? What are the solutions to these security exposures: - Use SSL. Any good guides about doing this with GWT? Does SSL also defeat the "Mallory" attacker that can also modify network data? - Any non-SSL solutions? Perhaps there's a guide about this out there somewhere, but all I can find so far is information relating to javascript security. Thanks Simon. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/4MgiVSsFI3UJ. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
