authentication question

Hi,

I am not sure do my plan for authentication is safe. Pls point out my mistake.

I use RPC to handle the login request. After verifying the user name and password from client request, the server replies by sending back the acctId and cookie with session id. So the widgets on the client side use the acctId to retrieve the acct specific info by RPC.

Server code

int ret = accountdao.validateAccount(_email, _passwd);
if(ret==0)
{
//login success - return a cookie to the client
String sessId = this.getThreadLocalRequest().getSession().getId();
final long DURATION = 1000 * 60 * 60 * 24 * 14; //duration remembering login. 2 weeks in this example.
Date expires = new Date(System.currentTimeMillis() + DURATION);
Cookie cookie = new Cookie("sid",sessId);
cookie.setPath("/");
this.getThreadLocalResponse().addCookie(cookie);
Account tmpAcct = accountdao.getAccount(_email, _passwd);
return tmpAcct.getOid();
}

Thanks a lot

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.