sim123 schrieb: > If I should not piggyback my sessionID with RPC payload, then what > does this line in GWTLogin Security means and could you please help me > with how can I achieve this? > > "NB: Do NOT attempt to use the Cookie header to transfer the sessionID > from GWT to the server; it is fraught with security issues that will > become clear in the rest of this article. You MUST transfer the > sessionID in the payload of the request"
In short: A Cookie will be sent by the browser automatically, if a page of the specific server is requested. So in case a browser has a bug allowing cross site attacks, the only thing the attacker has to do is let the browser do the request. If the sessionID has to be transfered as part of the POST- request, the attacker needs additional informations from another webapplication that run in parallel. That need at least one more bug in the browser to achieve this (for the same reason, sesssionIDs shouldn't be part of the URL). Regards, Lothar --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
