Monday, October 25, 2010

Re: GWT & RPC and security of the data in the client

Hi Be-noix,

As always, the client should never be trusted. It would be safer to
keep your SessionData object on the server and have all your RPC
services check it before returning potentially sensitive data.

HTH,

On Sat, Oct 23, 2010 at 2:48 PM, Be-noix <benoitscherrer@gmail.com> wrote:
> Hi,
>
> I'm a beginner with GWT, and would need an advice about RPC & security
> of the data.
> What i'm doing is a basic 'login' feature.
>
> I implemented the part with RPC in which the client ask to the server
> if a user/password is valid.
> As an answer, the client receive an instance of my class SessionData
> which contains:
> - userID: the user identifier
> - isLoggedIn: a boolean true/false to tell if the user is currently
> logged
> - isAdmin: a boolean true/false to tell if the current user is an
> administrator
> - etc...
>
> That SessionData is then used by a lot of functions in my client code
> to check that the user is logged in
> or is an administrator.
> For example a RPC service AddMessage(SessionData session, MessageData
> msg) will
> add a message in the DB in the server side, and identify the user
> through the SessionData.
>
> My questions is the following: is it a good practice to do it such a
> way, and is it safe?
> Could some hacker succeed to modify the value of isLoggedIn or isAdmin
> of a SessionData in the client,
> and access parts of the site they shouldn't ?
>
> Thanks a lot !
> Bé-noix
>
> --
> You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
> To post to this group, send email to google-web-toolkit@googlegroups.com.
> To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
>
>

--
David Chandler
Developer Programs Engineer, Google Web Toolkit
http://googlewebtoolkit.blogspot.com/

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)