On Thu, Feb 24, 2011 at 6:19 PM, Thomas Broyer <t.bro...@gmail.com> wrote:
> In such a scenario, you'll generally have a "session" maintained by the > server through a cookie, which will be enough (yes, cookies are not that > secure, but still deemed secure enough that everyone from Google to > Facebook, Twitter, Microsoft, Yahoo!, etc. use them). > I respectfully disagree, Thomas, and think your advice on this is ill served. In addition I believe that there are those at all the companies that you mentioned who would take issue with your opinion. Values from cookies that are explicitly maintained on the client and which are transported to the server as part of an RPC's payload can be trusted but values which come directly from HTTPRequest's cookies aren't trustworthy. That's a fact. Leave one little hole open and some malcontent with a half a brain is going to take advantage of it and hijack your session. It's such an easy prevention to implement that one would have to be foolish to not take advantage of it. -- *Jeff Schwartz* http://jefftschwartz.appspot.com/ http://www.linkedin.com/in/jefftschwartz follow me on twitter: @jefftschwartz -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
