Yes, and those cross-site attacks depend on your server (and/or your client) taking user input and blindly embedding it in the DOM, so that the user can create links and buttons and images and the like on the page you supposedly control. So don't do that, and then you can use HTTP standards for authentication.
Walden On Oct 1, 8:40 am, Lothar Kimmeringer <[EMAIL PROTECTED]> wrote: > walden schrieb: > > > However, I'm suggesting a simpler approach, one which I'm using on my > > project, which is simply configuring your server to protect the > > resources you want protected using HTTP Digest authentication. > > Depending on what your server is, find the documentation on > > configuring that. There's not a whole lot more to it. > > HTTP Digest authentication has the same problem like Session-IDs > in Cookies. A browser automatically transfer the authentication- > credentials for every request, so you're in danger of successful > cross-site-attacks. > > Regards, Lothar --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---