Prevent Cross-site request forgery - Never Rely on The SessionID Sent to Your Server in The Cookie H
Posted
by Yan Cheng CHEOK
on Stack Overflow
See other posts from Stack Overflow
or by Yan Cheng CHEOK
Published on 2010-04-05T16:40:26Z
Indexed on
2010/04/05
16:43 UTC
Read the original article
Hit count: 306
I am reading the tutorial at
http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
It states
Remember - you must never rely on the sessionID sent to your server in the cookie header ; look only at the sessionID that your GWT app sends explicitly in the payload of messages to your server.
Is it use to prevent http://en.wikipedia.org/wiki/Cross-site_request_forgery#Example_and_characteristics
With this mythology, is it sufficient enough to prevent to above attack?
© Stack Overflow or respective owner