Per the Login Security FAQ (http://code.google.com/p/google-web- toolkit-incubator/wiki/LoginSecurityFAQ) I have a few questions:
1) We're storing the SID in a client-side cookie and then the GWT app is grabbing that and sending it to the server with each RPC request. How is that any different than getting the SID from the cookie on the server side? Theoretically if an attacker can replace the cookie, then wouldn't the GWT portion of the code that reads the cookie to send it along with the RPC request pick up the replaced cookie anyway? 2) What is wrong with simply relying on the normal Tomcat (et al) method of handling sessions? Perhaps I simply wish to store some information once the client has logged in via an authentication back- end that I do not control. Why do I need to send the SID along with each request? The client and server already automagically connect each incoming client request with the correct session bag (or I thought this happened). Thank you for your time! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---