On Thu, Jan 13, 2011 at 10:53, <j...@google.com> wrote: > > http://gwt-code-reviews.appspot.com/1251801/diff/44001/45010 > File user/src/com/google/gwt/user/server/Util.java (right): > > http://gwt-code-reviews.appspot.com/1251801/diff/44001/45010#newcode76 > user/src/com/google/gwt/user/server/Util.java:76: * @throws > IllegalStateException if duplicate cookies are detected. > I think either IllegalStateException or IllegalArgumentException is fine > -- the state of the request is in error, and that request was passed as > an argument. I agree it isn't worth creating a custom exception for it. > > > http://gwt-code-reviews.appspot.com/1251801/diff/44001/45014 > File > user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java > (right): > > http://gwt-code-reviews.appspot.com/1251801/diff/44001/45014#newcode37 > > user/src/com/google/gwt/user/server/rpc/XsrfProtectedServiceServlet.java:37: > * XSRF token validation is performed by generating MD5 hash of the > session > I am not a cryptographer either, but my understanding is that SHA1 is > just as broken as MD5, especially if used unsalted. > > I don't think these are long-lived enough or protect something important > enough to matter. As you suggested earlier, I think most apps caring > about this will have authentication anyway and then that will be used > instead. > > I don't feel too strongly about this, and leaving it as MD5 is probably ok.
So, LGTM. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors