walden! I also don't get why we need cookies. Can you please answer to this question? Why don't we store session id in JS variable?
On 1 окт, 15:44, walden <[EMAIL PROTECTED]> wrote: > Hi nogridbag, > > You might just want to "begin at the beginning" and read the HTTP > Basic and HTTP Digest specifications. These will give you an > indication of what is already built into browsers and web server for > solving the mainstream of authenciation requirements on the web in a > way that is orthogonal to application logic (a good thing). Realize > that the FAQ your read is part of a departure from those standards. > Part of the cost of that departure is the complexity you have stumbled > on. > > Walden > > On Sep 30, 11:22 pm, nogridbag <[EMAIL PROTECTED]> wrote: > > > Hi, I'm fairly new to web apps so I have a few basic questions about > > handling the user's securesession. I read the article onlogin > >securityhere: > > >http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecur... > > > I understand everything up to the section "How to remember logins". > > At the bottom of that section it states "Remember - you must never > > rely on the sessionID sent to your server in the cookie header ; look > > only at the sessionID that your GWT app sends explicitly in the > > payload of messages to your server." > > > I've numbered the questions below: > > > 1) If we can't trust cookies, what's the point of using cookies at > > all? If it's just so the browser UI "thinks" the user is logged in, > > why not just store it in some local client side variable since GWT > > applications are contained within a single page. > > > * Make RPC call with user/pass > > * Server says pass = OK > > * In User.java, call setLoggedIn(true) > > > 2) That leads me to my next question, how should the sessionID be > > stored in the client? Do I just store it in some class, let's say > > User.java as a String or whatnot in plain text? > > > 3) Then, in any RPC request that needs the user to be logged in, I > > pass thissessionID along with the rest of the objects? > > > 4) How does the server then take this sessionId and authenticate it? > > Is the approach the same whether I'm using Java/RPC with Tomcat or > > JSON with php on an Apache server? Can you give an example (or a link > > to a page the explains this?) > > > 5) Finally, is there any situation where you would store the username/ > > pass on the client in order to authenticate each RPC call? If so, > > what would be thesecurityimplications of this? > > > Thanks. I'm sorry for the basic questions. This is all fairly new to > > me since my only experience with web appsecurityis academic and very > > minimal. It's obviously something I don't want to get wrong :) > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---