request, and only check this sessionID instead of the one passed in
the cookie header, the session can't be hijacked by malicious sites? I
know that you should also send this sessionID in the cookie and then
compare it with the one sent with every request to detect an XSRF
attack but doing it my way should at least protect against XSRF
attacks, doesn't it?
EDIT
I know that GWT 2.3 takes care of XSRF by providing XSRF Token
Support. Sadly I'm stuck with GWT 2.2 and so have to deal with it by
myself.
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment