On Fri, Feb 25, 2011 at 10:14 AM, veenatic <praveen.bit...@gmail.com> wrote:
> Does this mean that "auth token" in the request payload is not of much use? > Also, I want to understand when i have the token set in the requestfactory > payload, how to retrieve from the payload when a service call is made by > requestfactory since i will have to validate the token for every service > request. > > > On Friday, February 25, 2011 3:49:32 PM UTC+2, Thomas Broyer wrote: >> >> Of course! I didn't mean to imply that you shouldn't secure your app, but >> honestly if someone succeeds in hijacking your session, then he could >> possibly do it before loading the host page, so that your GWT app will run >> with the hijacked session, and the "auth token in the request payload" won't >> be of any help. > > To the contrary - it means that every request to the server should include it and that ever request should validate it against the HttpSession's session id value and respond accordingly. > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-toolkit@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > -- *Jeff Schwartz* http://jefftschwartz.appspot.com/ http://www.linkedin.com/in/jefftschwartz follow me on twitter: @jefftschwartz -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.