On Tuesday, September 27, 2011 5:28:21 PM UTC+2, koma wrote: > > Hi > > As so many others before me, I went through the *LoginSecurityFAQ* and > have been reading about *passing the SESSIONID from the client to the > server in the payload for each and every request*. The message is that we > cannot trust the HttpSession server side because of potential CSRF attacks. > > Question : > > > - Do I have to *add an additional parameter SESSIONID to each and every > service call* that I am launching from GWT to the server ? > > No
> > - Or perhaps I can attach the *SESSIONID as request attribute*, so my > service interfaces stay clean of this extra parameter ? > > Yes > > - I also noticed that in earlier versions of RfServlet there was a *init > parameter UserInfo* but this seems to have *disappeared*. I never used > it but I suspect this is some mechanism to address the above issues ? Is > there some replacement mechanism ? > > Use a custom RequestTransport on the client-side, and a servlet filter on the server-side. Have a look at the Expenses sample from the GWT SDK, which does this for AppEngine authentication. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/0pw34kOddD4J. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
