GWT RPC Cookie authentication?

Depending only on the cookie for authentication will make your website/services vulnerable to Cross-Site Request Forging/XSRF/CSRF attacks - read more on that in Security for GWT Applications The best way would be to double check the value you get from the cookie and with the one that's been transported to the server by some other means - as part of the request (header, a custom field, etc) Other than that, there are many tutorials covering the subject - just search for Java (servlet) authentication - it doesn't have to be GWT-specific. The Google Web Toolkit Group also has many threads about the subject.

Depending only on the cookie for authentication will make your website/services vulnerable to Cross-Site Request Forging/XSRF/CSRF attacks - read more on that in Security for GWT Applications. The best way would be to double check the value you get from the cookie and with the one that's been transported to the server by some other means - as part of the request (header, a custom field, etc). Other than that, there are many tutorials covering the subject - just search for Java (servlet) authentication - it doesn't have to be GWT-specific.

The Google Web Toolkit Group also has many threads about the subject.

I assume that you use GWT's RPC servlet for handling requests made by the client. One option that comes to my mind is to write and configure a ServletFilter which can examine the cookie, before the request reaches GWT's servlet.

You might rethink using cookies as it is a potencial security hole. Why not put your communication to HTTPS?

HTTPS doesn't prevent XSRF attacks, AFAIK, so you're "just" protected from man-in-the-middle attacks. And it has the additional quirk that makes most browsers not cache the content of the HTTPS request. Plus, with GWT and all the AJAX stuff, you either keep the website HTTP or HTTPS - mixing them up can lead to some scary warnings on some browsers - not something you want to show to your users :) – Igor Klimer Feb 17 '10 at 2:06 True ... but I was thinking putting the whole site under HTTPS not mixing it.

– Drejc Feb 17 '10 at 9:36 Right, and then the users would have to download the whole application (JS files) every time they use the site, probably complaining how slow it's loading, etc. Of course, if this is a bank site or something similar, security is priority number 1 and the whole site should be https. Nevertheless, my point about cookie-only authentication still holds. – Igor Klimer Feb 17 '10 at 23:32.

Can you not just use the standard 'session' scope, i.e. Request.getSession() A pattern I use in GWT apps is to have a separate 'old fashioned' login form which sets up the session. The GWT app's host page is then displayed after they have successfully logged in.

If the necessary values aren't in the session, then the user isn't logged in. Your service should return an exception, maybe, which instructs the GWT app to redirect to the login page, or display an error.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.