On Wed, Oct 28, 2009 at 12:00 PM, Jason Essington < jas...@greenrivercomputing.com> wrote:
> > In general you seem to be talking about attacks that would be handled > by the browser's "Same Origin Policy". This does segregate js loaded > from different places to prevent that sort of thing. > That's the real key, I think. Thanks for confirming.... > > but if the uses shouldn't have the data, then you shouldn't have sent > it in the first place. remember, the world beyond your server is > hostile and never to be trusted. > Well, they give me the userid and password to login, so it doesn't have to be secret to them, though I wouldn't my UI to otherwise show the password any further, just store it for other RPCs in the future. One solution mentioned for XSS/XSRF is to not rely on server-side sessions since these are often in cookies, so if a bad site can use the user's browser to send a request to a "good" site they are logged into, they could trick it to doing so. So they suggest creating another unique id that is then passed in all RPC calls so that you can confirm the RPC is really from the client app you expect (the attacks won't know this data, so the server will see the request as matching the session and perhaps associating with the logged in user, but then reject it because it's missing this extra parameter). So I was wondering what the advantage of that is over just having the RPC send the userid+password each time, since it has the added advantage of allowing the RPC to re-login the user to handle the request, perhaps allowing the server to have very short session timeouts and have less session state related to a logged in user, etc. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---