Jason, So it's a GET parameter on a POST request? Hmmm. Clever, though.
Walden On Nov 4, 12:31 pm, "Jason Vincent" <[EMAIL PROTECTED]> wrote: > I see your point. If the SID is invalid, either via a real attack or by > session invalidation, the result is the same... "I don't know who you are so > please re-authenticate yourself." My project is in its early stages, so for > what I thought was an attack I was just throwing an exception to kick that > request back to where it came from. I believe I'll just handle it like the > user isn't logged in and send it to the login view. Thanks for your input. > > As for the get parameter... in my RemoteService interfaces, where I have the > static getInstance to get the Async instance I essentially pass in the sid > and build the url with that sid. > > <pre> > public static synchronized AuthenticationServiceAsync > getInstance(String sid) { > if (ourInstance == null) { > ourInstance = (AuthenticationServiceAsync) > GWT.create(AuthenticationService.class); > } > ((ServiceDefTarget) ourInstance) > .setServiceEntryPoint(GWT.getModuleBaseURL() + > "com.vincent.gwtapps.myApp.MyGwtApp/AuthenticationService?sid=" + sid); > return ourInstance; > } > </pre> > > > > On Tue, Nov 4, 2008 at 4:19 AM, walden <[EMAIL PROTECTED]> wrote: > > > Jason, > > > I think false positives is a feature of this kind of security > > strategy, not necessarily a bad thing. How do you handle what you > > think is a real "XSRF" attack? When I use Yahoo (not often), it seems > > like it asks me to login a lot. But they smooth the experience with > > words to the effect that it's for a good cause. Since the reality is > > that you can't be sure when a sid error is an attack, why not be > > candid about it? > > > BTW, how do you use RPC to send a "get parameter"? That part confused > > me. > > > Walden > > > On Nov 3, 4:59 pm, Jason <[EMAIL PROTECTED]> wrote: > >> I have a question about the "XSRF" protection. I've implemented this > >> by using a requestFilter which filters for the "nocache.js" file and > >> sets a "sid" cookie with the session id as the value. Then for each > >> RPC call I send the value of the "sid" cookie as a get parameter. > >> When the session is active this works great. The issue I have is when > >> the session expires, or invalid for some reason. Currently this is > >> reporting a false "XSRF" attack since the sid no longer matches the > >> session id on the server. > > >> If the sid is based off the session Id (or anything that changes over > >> time), how might it get updated when the session id gets invalidated?- > >> Hide quoted text - > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---