On Tuesday, September 27, 2011 5:28:21 PM UTC+2, koma wrote:
HiAs so many others before me, I went through the LoginSecurityFAQ and have been reading about passing the SESSIONID from the client to the server in the payload for each and every request. The message is that we cannot trust the HttpSession server side because of potential CSRF attacks.Question :
- Do I have to add an additional parameter SESSIONID to each and every service call that I am launching from GWT to the server ?
No
- Or perhaps I can attach the SESSIONID as request attribute, so my service interfaces stay clean of this extra parameter ?
Yes
- I also noticed that in earlier versions of RfServlet there was a init parameter UserInfo but this seems to have disappeared. I never used it but I suspect this is some mechanism to address the above issues ? Is there some replacement mechanism ?
Use a custom RequestTransport on the client-side, and a servlet filter on the server-side. Have a look at the Expenses sample from the GWT SDK, which does this for AppEngine authentication.
-- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/0pw34kOddD4J.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment