On Dec 3, 3:57 am, Patrick Ratelband <[EMAIL PROTECTED]> wrote: > jhulford, from what I understand, cookies are sent in the header as > well and that is whole reason they are vulnerable to XSRF, so setting > some header would seem to me like not to solve the problem. Your > second post was very useful, I had not seen the second article with > all the info and it gave me a lot to think about. Thanks.
See the paragraph below I copied from the article. It explains why you may want to send the header - it's really the same strategy as sending the identifier in the parameter list but, in my opinion, using the header strategy makes it easier to do the authorization transparently to your service layer (ie. you don't have to put session params in all your service call APIs). Besides, putting your session identifier in the parameter list is just as vulnerable to being manipulated as a header. If someone's man-in-the-middle'd you it's not going to matter where you're sending the session identifier, they'll be able to get at it. The way I understand it the only real defense against MITM is to use strong encryption. "An easy way to prevent this is to use JavaScript to copy the cookie value and submit it as form data along with your XMLHTTPRequest call. Since the browser's Same-Origin Policy will prevent a third-party site from accessing the cookies from your site, only your site can retrieve your cookie. By submitting the value of the cookie along with the request, your server can compare the actual cookie value with the copy you included; if they don't match, your server knows that the request is an XSRF attempt. Simply put, this technique is a way of requiring the code that made the request to prove that it has access to the session cookie." --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---