krona: If you are getting the session ID from the cookie, your web service is still vulnerable to XSRF (wikipedia it). Make GWT send the session ID in the body of requests (such as a parameter to GWT-RPC or stuff it in the JSON you're sending to your PHP).
On Dec 4, 1:24 am, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > The approach I'm taking, and I'm hoping it is a good one, is to divide > the operations on the server cleanly in to read and write. I'm using > php on the server and GWT on the client. The client cannot execute any > write operation on the server without a unique Session ID, the only > way that the client can get a Session ID is by providing correct log > in credentials to the server. Once the client has provided correct > login credentials the server creates a Session ID and binds it to an > IP address. Any write requests coming in to the server will not be > honoured if they do not come from the IP address/Session ID > combination that the server understands as being 'safe'. Obviously > once write access is granted on the server all string data is stripped/ > escaped as appropriate. The philosophy is that the server will never > send anything to the client that could be intepreted as anything but > plain text. > > I cannot protect against fishing, but then this is only for a cat club > website! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
