Use SSL for Security, never send a clear text user id password over the wire. If a user navigates away from app then they should log in again.
ed On Wed, Oct 24, 2012 at 5:41 AM, Flying-w <[email protected]> wrote: > I am investigating security considerations around the user login for a GWT > application in respect of the following strategy: > > User enters their id and password in a dialogue; > Client transmits the login request with the above details to the server > using RPC; > Server returns a token unique to the client. The client stores this in a > cookie such that if they press F5 to reload the application, or navigate > away and come back, they do not need to login again (within a timeout > period); > On every request the client sends to the server, the token is included in > the payload of the request to authenticate the request; > > There are some obvious flaws in this approach: > > The "Eve" type hacker listening on the network can intercept the plain text > userid and password and reuse them directly in their client; > If someone gains physical access to the original users computer, can they > lift the server token from the cookie and use the token on the their > computer to impersonate the original user? > > What are the solutions to these security exposures: > > Use SSL. Any good guides about doing this with GWT? Does SSL also defeat > the "Mallory" attacker that can also modify network data? > Any non-SSL solutions? > > Perhaps there's a guide about this out there somewhere, but all I can find > so far is information relating to javascript security. > > Thanks > Simon. > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/google-web-toolkit/-/4MgiVSsFI3UJ. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
