http://gwt-code-reviews.appspot.com/1251801/diff/11001/12008 File user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java (right):
http://gwt-code-reviews.appspot.com/1251801/diff/11001/12008#newcode120 user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java:120: private boolean isCookieValueValid(String cookieValue) { On 2011/01/11 01:48:15, meder wrote:
On 2011/01/11 00:32:23, xtof wrote: > I'm not too fond of how this method performs two different kinds of
functions,
> depending on how the class is configured: > If the class is configured to use a session cookie, this method
seems to check
> that the token value is as expected, whereas if no sessionCookieName
is set,
it > just checks for well-formedness of the cookie. > > Either way, I'm a bit confused as to how this works...
This method only checks if the value itself is sane code on line 107
will
compare the two values.
Got it... http://gwt-code-reviews.appspot.com/1251801/diff/11001/12009 File user/src/com/google/gwt/user/server/rpc/XsrfTokenServiceServlet.java (right): http://gwt-code-reviews.appspot.com/1251801/diff/11001/12009#newcode192 user/src/com/google/gwt/user/server/rpc/XsrfTokenServiceServlet.java:192: setCookieAndExpireOldCookies(newXsrfCookie); On 2011/01/11 01:48:15, meder wrote:
On 2011/01/11 00:37:06, xtof wrote: > If I understand this correctly, the cookie is set both when the xsrf
token is
a > random value, _and_ when the token is generated off of a
SessionCookie. In
the > latter case, I don't understand why it's necessary to set the XSRF
cookie, and
> if it's not necessary I think it should be avoided.
I thought that this would make it easier for apps to work with token,
app would
have to only issue getNewXsrfToken() once and subsequently simply read
the value
from the cookie and construct XsrfToken that way.
I see. Well typically I'd think a GWT client would just call the getNewXsrfToken rpc and hang on to the token in client state; I'm not sure if it needs to be in a cookie. Come to think of it, if we do provide infrastructure code that stores values in cookies, we should make it configurable with respect to path of the cookie and 'secure' attribute. Which in turn seems to introduce a fair bit of complication. Plus, if a developer really wants to store the value in a cookie, they can do so. http://gwt-code-reviews.appspot.com/1251801/show -- http://groups.google.com/group/Google-Web-Toolkit-Contributors