How secure is this GWT / RPC security method for the GWT GAE Java application?

Question

How secure is this GWT / RPC security method for the GWT GAE Java application?

Once the user is logged in, I create a Java session and save its user ID and sessionid (sid) in the session, these two parameters are sent to the GWT client, and they are stored there in the GWT base client (not like cookies). I am using MVP Architecture.

Each call made to separate it after that is sent with these two parameters, userID and SID, so I check this on the server that the current session on the server is equal to the specified session identifier and belongs to this user identifier.

IF everything is fine, only then will I process the RPC request further.

In addition, I plan to make all my RPC handlers to extend a common RPC handler that will accept these parameters.

I am new to GWT and GAE, any help would be greatly appreciated.

Thank.

+3

java google-app-engine gwt

charming30 Jul 18 '10 at 8:21

source share

2 answers

Anyone who can intercept traffic on the wire / radio waves can control the user's session IF you send the session state via ssl / https.

+1

antony.trupe Nov 18 '10 at 19:01

source share

Isaac truett · Accepted Answer · 2010-12-18T01:03:52+0000

Using SSL and sending the session identifier in the payload of each request are two good first steps. This LoginSecurityFAQ gives a good explanation with more details.

How secure is this GWT / RPC security method for the GWT GAE Java application?

More articles: