Hello,
I think it 's a good process because you don't use cookie and pass the
session in the payload.
I have a question concerning the step 3 : *The server checks if the user
exists. If so, I generate a *
*SessionID using UUID.randomUUID.toString and pass it back to the
client. : *where do
In order to prevent XSRF, I implement session handling in GWT this
way:
1. If a sessionID is stored in the cookie, send it to the server in
the RPC payload and check if it's still valid.
2. If not, show login window. User enters username/password, both
are sent to the server.
3. The
GWT 2.3 comes with XSRF RPC builtin protection. See
http://code.google.com/intl/it-IT/webtoolkit/doc/latest/DevGuideSecurityRpcXsrf.html
that's an implementation of what already discussed in an old (but still
interesting) document: