--- On Tue, 4/12/11, Raphael André Bauer <raphael.andre.ba...@gmail.com> wrote:
> From: Raphael André Bauer <raphael.andre.ba...@gmail.com> > Subject: Re: Login security question > To: google-web-toolkit@googlegroups.com > Cc: "Leung" <leung1_2...@yahoo.com> > Date: Tuesday, April 12, 2011, 9:39 PM > On Tue, Apr 12, 2011 at 12:30 PM, > Leung <leung1_2...@yahoo.com> > wrote: > > Hi > > > > According to article LoginSecurityFAQ, > > http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ > , I have a point that I really want someone to make it clear > for me. > > > > From the article, > > "Your server will then validate this login, and return > a sessionID to your GWT app. The GWT app will store this > sessionID in a static field. For every further request your > GWT app makes to your server, include this sessionID in the > payload of the request. (Either in the JSON data or the > object you are transferring using GWT-RPC)." > > > > I assume the server returns the sessionId by RPC to > the client after validation. > > How can I "include this sessionID in the payload of > the request" using GWT-RPC? > > How can I tell the sessionID is in the payload of the > request or not in the payload? > > First part: > The session is always sent in the header if it is a cookie > set by your > server. It's a "http thing". > > Second part: > Sending the session id via RCP must be done via a separate > String in > your RPC interface. So manually add a String to your RPC. > > Validating: > Your server can then compare those two values. As only a > friendly > script can access the cookie of your domain your server can > validate > if the request is ok... Otherwise rise a security > exception... > > > Best, > > Raphael > > > > > Thanks > > Ming > > > > -- > > You received this message because you are subscribed > to the Google Groups "Google Web Toolkit" group. > > To post to this group, send email to google-web-toolkit@googlegroups.com. > > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/google-web-toolkit?hl=en. > > > > > Hi Raphael, Thank you very much for your reply. For your second part, I have tried and modified some code posted on the tutorial. Is the following what you mean? public class LoginServiceImpl extends RemoteServiceServlet implements LoginService{ public String login(String _email, String _passwd) { String sessId = this.getThreadLocalRequest().getSession().getId(); final long DURATION = 1000 * 60 * 60 * 24 * 14; //duration 2 weeksDate expires = new Date(System.currentTimeMillis() + DURATION); Cookie cookie = new Cookie("sid",sessId); cookie.setPath("/"); this.getThreadLocalResponse().addCookie(cookie); return sessId; } } Thanks Ming -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
