I haven't tested it yet, but I believe you can extend
DefaultRequestTransport as discussed in this thread to set a request
header containing your session ID or other XSRF token:
HTH,
/dmc
On Tue, Nov 30, 2010 at 10:38 PM, Daniel Cowx <daniel.cowx@gmail.com> wrote:
> Hi guys,
>
> I've been using GWT-RPC up until this point, but would like to make
> the switch to RequestFactory shortly. I'm a bit confused as to how to
> prevent CSRF/XSRF with RequestFactory though.
>
> As per http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ,
> up to this point I've been sending the session ID within the *payload*
> of each RPC. Works great. Should I be doing something similar with
> RequestFactory? Any and all suggestions greatly welcome!
>
> Thanks,
> Daniel
>
> --
> You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
> To post to this group, send email to google-web-toolkit@googlegroups.com.
> To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
>
>
--
David Chandler
Developer Programs Engineer, Google Web Toolkit
http://googlewebtoolkit.blogspot.com/
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment