http://gwt-code-reviews.appspot.com/1251801/diff/44001/45010 File user/src/com/google/gwt/user/server/Util.java (right):
http://gwt-code-reviews.appspot.com/1251801/diff/44001/45010#newcode76 user/src/com/google/gwt/user/server/Util.java:76: * @throws IllegalStateException if duplicate cookies are detected. I think either IllegalStateException or IllegalArgumentException is fine -- the state of the request is in error, and that request was passed as an argument. I agree it isn't worth creating a custom exception for it. http://gwt-code-reviews.appspot.com/1251801/diff/44001/45014 File user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java (right): http://gwt-code-reviews.appspot.com/1251801/diff/44001/45014#newcode37 user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java:37: * XSRF token validation is performed by generating MD5 hash of the session I am not a cryptographer either, but my understanding is that SHA1 is just as broken as MD5, especially if used unsalted. I don't think these are long-lived enough or protect something important enough to matter. As you suggested earlier, I think most apps caring about this will have authentication anyway and then that will be used instead. http://gwt-code-reviews.appspot.com/1251801/show -- http://groups.google.com/group/Google-Web-Toolkit-Contributors