GWT (client side) has nothing to do with HttpOnly cookies because the browser can not read them using javascript.
You have to face it in the server side, sending a cookie from your servlet to the browser with the HttpOnly attribute set, the browser will remember it, and the next time it loads the GWT application it has to ask the server via RPC to know if the user has the appropriate cookies, if not you have to show the login screen. -Manolo On Wed, Apr 7, 2010 at 8:17 PM, yccheok <yancheng.ch...@gmail.com> wrote: > Does anyone have a good code example, on how to implement login/logout/ > remember me feature, using GWT, with concern on Cross-Site Request > Forgeries. > > My plan is to use HttpOnly : > http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html > > However, I am not sure whether that will be sufficient enough. > > Thanks. > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-tool...@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.