On Tue, Apr 12, 2011 at 12:30 PM, Leung <[email protected]> wrote: > Hi > > According to article LoginSecurityFAQ, > http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ , > I have a point that I really want someone to make it clear for me. > > From the article, > "Your server will then validate this login, and return a sessionID to your > GWT app. The GWT app will store this sessionID in a static field. For every > further request your GWT app makes to your server, include this sessionID in > the payload of the request. (Either in the JSON data or the object you are > transferring using GWT-RPC)." > > I assume the server returns the sessionId by RPC to the client after > validation. > How can I "include this sessionID in the payload of the request" using > GWT-RPC? > How can I tell the sessionID is in the payload of the request or not in the > payload?
First part: The session is always sent in the header if it is a cookie set by your server. It's a "http thing". Second part: Sending the session id via RCP must be done via a separate String in your RPC interface. So manually add a String to your RPC. Validating: Your server can then compare those two values. As only a friendly script can access the cookie of your domain your server can validate if the request is ok... Otherwise rise a security exception... Best, Raphael > > Thanks > Ming > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
