- Use Http-Only cookies so as any eventually injected js does not have access to the session cookie. - You could compute and send the MD5 hash of the password instead of the clear one if the server is storing the password in MD5
On Wed, Oct 24, 2012 at 8:26 PM, Ed <ej19...@gmail.com> wrote: > Use SSL for Security, never send a clear text user id password over the > wire. > If a user navigates away from app then they should log in again. > > ed > > On Wed, Oct 24, 2012 at 5:41 AM, Flying-w <simonjone...@googlemail.com> > wrote: > > I am investigating security considerations around the user login for a > GWT > > application in respect of the following strategy: > > > > User enters their id and password in a dialogue; > > Client transmits the login request with the above details to the server > > using RPC; > > Server returns a token unique to the client. The client stores this in a > > cookie such that if they press F5 to reload the application, or navigate > > away and come back, they do not need to login again (within a timeout > > period); > > On every request the client sends to the server, the token is included in > > the payload of the request to authenticate the request; > > > > There are some obvious flaws in this approach: > > > > The "Eve" type hacker listening on the network can intercept the plain > text > > userid and password and reuse them directly in their client; > > If someone gains physical access to the original users computer, can they > > lift the server token from the cookie and use the token on the their > > computer to impersonate the original user? > > > > What are the solutions to these security exposures: > > > > Use SSL. Any good guides about doing this with GWT? Does SSL also > defeat > > the "Mallory" attacker that can also modify network data? > > Any non-SSL solutions? > > > > Perhaps there's a guide about this out there somewhere, but all I can > find > > so far is information relating to javascript security. > > > > Thanks > > Simon. > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google Web Toolkit" group. > > To view this discussion on the web visit > > https://groups.google.com/d/msg/google-web-toolkit/-/4MgiVSsFI3UJ. > > To post to this group, send email to google-web-toolkit@googlegroups.com > . > > To unsubscribe from this group, send email to > > google-web-toolkit+unsubscr...@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-toolkit@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
