Hello, I think it 's a good process because you don't use cookie and pass the session in the payload. I have a question concerning the step 3 : " *The server checks if the user exists. If so, I generate a * *SessionID using UUID.randomUUID.toString and pass it back to the client. " : *where do you save the UUID session on the server ? hashtable ?
thanks Le dimanche 1 mai 2011 17:09:27 UTC+2, HelperMethod a écrit : > > In order to prevent XSRF, I implement session handling in GWT this > way: > > 1. If a sessionID is stored in the cookie, send it to the server in > the RPC payload and check if it's still valid. > 2. If not, show login window. User enters username/password, both > are sent to the server. > 3. The server checks if the user exists. If so, I generate a > SessionID using UUID.randomUUID.toString and pass it back to the > client. > 4. The client stores it in a cookie, sending it to the server with > each request (in the payload). > > Is is okay to completely ignore the sessionID within the cookie > header? > > I've also seen an alternative solution where the cookie's sessionID is > also aditionally sent within each request and then both are tested for > equality. > > Which of the two solutions is better? > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/IrCB7OY0bgsJ. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
