Hi As so many others before me, I went through the *LoginSecurityFAQ* and have been reading about *passing the SESSIONID from the client to the server in the payload for each and every request*. The message is that we cannot trust the HttpSession server side because of potential CSRF attacks.
Question : - Do I have to *add an additional parameter SESSIONID to each and every service call* that I am launching from GWT to the server ? - Or perhaps I can attach the *SESSIONID as request attribute*, so my service interfaces stay clean of this extra parameter ? - I also noticed that in earlier versions of RfServlet there was a *init parameter UserInfo* but this seems to have *disappeared*. I never used it but I suspect this is some mechanism to address the above issues ? Is there some replacement mechanism ? Old implementation (part of doPost) of RequestFactoryServlet : // Check that user is logged in before proceeding UserInformation userInfo = UserInformation.getCurrentUserInformation(request.getHeader("pageurl")); if (!userInfo.isUserLoggedIn()) { response.setHeader("login", userInfo.getLoginUrl()); response.sendError(HttpServletResponse.SC_UNAUTHORIZED); } else { response.setHeader("userId", String.format("%s", userInfo.getId())); response.setStatus(HttpServletResponse.SC_OK); RequestProcessor<String> requestProcessor = new JsonRequestProcessor(); requestProcessor.setOperationRegistry(new ReflectionBasedOperationRegistry( new DefaultSecurityProvider())); requestProcessor.setExceptionHandler(exceptionHandler); response.setContentType(RequestFactory.JSON_CONTENT_TYPE_UTF8); writer.print(requestProcessor.decodeAndInvokeRequest(jsonRequestString)); writer.flush(); } Thx Koen -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/WDA1sfVapK4J. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.