Thanks for your reply, but how can I access sessionID value from POST Parameter in my filter? as request.getParameter("sessionID") is returning null?
On Oct 1, 12:16 am, Lothar Kimmeringer <[EMAIL PROTECTED]> wrote: > sim123 schrieb: > > > If I should not piggyback my sessionID with RPC payload, then what > > does this line in GWTLogin Security means and could you please help me > > with how can I achieve this? > > > "NB: Do NOT attempt to use the Cookie header to transfer the sessionID > > from GWT to the server; it is fraught with security issues that will > > become clear in the rest of this article. You MUST transfer the > > sessionID in the payload of the request" > > In short: A Cookie will be sent by the browser automatically, > if a page of the specific server is requested. So in case a > browser has a bug allowing cross site attacks, the only thing > the attacker has to do is let the browser do the request. > > If the sessionID has to be transfered as part of the POST- > request, the attacker needs additional informations from > another webapplication that run in parallel. That need at > least one more bug in the browser to achieve this (for the > same reason, sesssionIDs shouldn't be part of the URL). > > Regards, Lothar --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---