Sunday, March 3, 2013

Re: A question regarding the Dynamic Host Page's tutorial

There is no place more secure than another to put your CSRF token. If someone - by an XSS attack for example - can read the hosting page, he can as easily read the cookie, the http headers, whatever, and find the XSRF token. BTW, with the XSS, he doesn't need the token anymore to make requests with the user rights =)

SSL protects from a man in the middle or a sniffing attack. Without SSL, if someone can sniff your user requests, you just can't hide anything : tokens, session ids, passwords, etc...

(ok, you could crypt with JS, but... no)

On Sunday, March 3, 2013 2:59:35 AM UTC+1, a.toled...@gmail.com wrote:


On Saturday, March 2, 2013 7:57:49 PM UTC+1, Thomas Broyer wrote:


On Saturday, March 2, 2013 5:27:12 AM UTC+1, a.toled...@gmail.com wrote:
Hello group,

I have a question regarding this tutorial.

At the end it is illustrated how the servlet/jsp can create a java script variable that contains the email address of the user. This is done in order to save a GWT RPC call that would ask for this value from the browser side to the server when the page loads. I understand the rationale behind this but I wonder if passing the data by a cookie won't be as efficient as the javascript variable but additionally more secured.

Why would it be more secure? I'd even say it'd be *less* secure: the cookie will be sent back to the server with every subsequent request!
BTW, emitting user info into the HTML page is what Google does (for Groups –which is made with GWT–, but also Reader, GMail or Plus, which are made with the Closure tools)
 
Maybe I'm wrong. What I had in mind is data like an XSRF protection token that the server generates and needs to pass to the client in order for the latter to send it in every RPC request. If I put it in the HTML page I thought it will make the token more accessible to anyone who wants to find it. But actually the cookies are also accessible. I don't know if using SSL would make any difference between these two ways of passing server data (in both the data (html/cookies) is encrypted on the server side and decrypted on the client side).


--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
 
 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)