GWT Creating Session ID using java.uti.UUID and ignoring Cookie header
577 views
Skip to first unread message
HelperMethod
May 1, 2011, 11:09:27 AM5/1/11
to Google Web Toolkit
In order to prevent XSRF, I implement session handling in GWT this
way:
1. If a sessionID is stored in the cookie, send it to the server in
the RPC payload and check if it's still valid.
2. If not, show login window. User enters username/password, both
are sent to the server.
3. The server checks if the user exists. If so, I generate a
SessionID using UUID.randomUUID.toString and pass it back to the
client.
4. The client stores it in a cookie, sending it to the server with
each request (in the payload).
Is is okay to completely ignore the sessionID within the cookie
header?
I've also seen an alternative solution where the cookie's sessionID is
also aditionally sent within each request and then both are tested for
equality.
Which of the two solutions is better?
way:
1. If a sessionID is stored in the cookie, send it to the server in
the RPC payload and check if it's still valid.
2. If not, show login window. User enters username/password, both
are sent to the server.
3. The server checks if the user exists. If so, I generate a
SessionID using UUID.randomUUID.toString and pass it back to the
client.
4. The client stores it in a cookie, sending it to the server with
each request (in the payload).
Is is okay to completely ignore the sessionID within the cookie
header?
I've also seen an alternative solution where the cookie's sessionID is
also aditionally sent within each request and then both are tested for
equality.
Which of the two solutions is better?
ciosbel
May 1, 2011, 11:46:39 AM5/1/11
to google-we...@googlegroups.com
GWT 2.3 comes with XSRF RPC builtin protection. See http://code.google.com/intl/it-IT/webtoolkit/doc/latest/DevGuideSecurityRpcXsrf.html
that's an implementation of what already discussed in an old (but still interesting) document: http://code.google.com/intl/it-IT/webtoolkit/articles/security_for_gwt_applications.html#xsrf
that's an implementation of what already discussed in an old (but still interesting) document: http://code.google.com/intl/it-IT/webtoolkit/articles/security_for_gwt_applications.html#xsrf
gwt33
Dec 31, 2012, 10:18:52 AM12/31/12
to google-we...@googlegroups.com, pib.oliv...@googlemail.com
Hello,
I think it 's a good process because you don't use cookie and pass the session in the payload.
I have a question concerning the step 3 : " The server checks if the user exists. If so, I generate a
SessionID using UUID.randomUUID.toString and pass it back to the
client. " : where do you save the UUID session on the server ? hashtable ?thanks
Reply all
Reply to author
Forward
0 new messages