Re: Security considerations for GWT applications

Use SSL for Security, never send a clear text user id password over the wire.
If a user navigates away from app then they should log in again.

ed

On Wed, Oct 24, 2012 at 5:41 AM, Flying-w <simonjones38@googlemail.com> wrote:
> I am investigating security considerations around the user login for a GWT
> application in respect of the following strategy:
>
> User enters their id and password in a dialogue;
> Client transmits the login request with the above details to the server
> using RPC;
> Server returns a token unique to the client. The client stores this in a
> cookie such that if they press F5 to reload the application, or navigate
> away and come back, they do not need to login again (within a timeout
> period);
> On every request the client sends to the server, the token is included in
> the payload of the request to authenticate the request;
>
> There are some obvious flaws in this approach:
>
> The "Eve" type hacker listening on the network can intercept the plain text
> userid and password and reuse them directly in their client;
> If someone gains physical access to the original users computer, can they
> lift the server token from the cookie and use the token on the their
> computer to impersonate the original user?
>
> What are the solutions to these security exposures:
>
> Use SSL. Any good guides about doing this with GWT? Does SSL also defeat
> the "Mallory" attacker that can also modify network data?
> Any non-SSL solutions?
>
> Perhaps there's a guide about this out there somewhere, but all I can find
> so far is information relating to javascript security.
>
> Thanks
> Simon.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google Web Toolkit" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/google-web-toolkit/-/4MgiVSsFI3UJ.
> To post to this group, send email to google-web-toolkit@googlegroups.com.
> To unsubscribe from this group, send email to
> google-web-toolkit+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/google-web-toolkit?hl=en.

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.