I think ytrewqsm has a point. If user X has authenticated, the server can know which user it is (stateful) and refuse to change (for example) another user's profile in response to a "Change user Y's password to xyz" request.
If the server is stateless and the logged in user state is held on the client (recommended) then the server will innocently go ahead and process the a spoofed change password request (and any other spoofed request). I think that is what ytrewqsm is getting at --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
