On Saturday, June 7, 2014 5:31:51 AM UTC+2, Blake wrote:
Thanks a lot for your input! I thought about doing it this way, and I like it a lot for all the reasons you state. This would be the best and easiest approach. My only problem with it was that I fear security. I really don't understand cookies and local storage well. I could encrypt the password. I just don't understand if an app from another site can just read my local storage. Do you have any comments about that concern?
DON'T DO THAT!
Your fears are well-founded. The only secure way to store a password is in a password manager (the one from the browser, or something like LastPass or 1Password).
With this approach, if there's an XSS vulnerability anywhere in your site (not only the login page, not only the GWT app) it could be exploited to read the localStorage.
Similarly for cookies, which is why cookies should never be readable by scripts (i.e. should have the HttpOnly flag) unless it's really needed (which should never be the case when the cookies are about security).
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment