6

I'm writing a small GWT front-end for a backend app and I was wondering about the best security model for GWT apps?

I was thinking of implementing an RPC method that receives an MD5 of a user password from the client webpage, then passing back a session ID to the client page (or a failcode). All subsequent calls would simply use the session ID and the server would keep a track that the IP address for the session ID is the same IP address that created the session ID?

Is this the standard mechanism for (non-ssl) authentication for GWT applications?

If not, can anyone suggest alternative solutions?

Thanks,

Chris
  • 4,450
  • 3
  • 38
  • 49
  • 1
    This seems like a duplicate: http://stackoverflow.com/questions/2974100/question-on-gwt-cookies-and-webpage-directing A quick search on SO reveals some other related questions - do your research before asking. – Igor Klimer Jun 22 '10 at 15:08
  • Do not send the MD5 of the user password to the client. – JP Richardson Jun 22 '10 at 19:46
  • What do I do instead of sending the MD5 of the password? – Chris Jun 23 '10 at 09:19

1 Answers1

6

This page by google gives a good overview of the security and tasks associated with logging in users. The link on that page to Security for GWT Applications also addresses several common gotchas specifically associated with GWT.

Pace
  • 41,875
  • 13
  • 113
  • 156
  • my answer adds zero extra information and its almost same as yours, however, that said, you got there first :) lemme delete mine – Anurag Jun 22 '10 at 01:53