Prevent Cross-site request forgery - Never Rely on The SessionID Sent to Your Server in The Cookie H
- by Yan Cheng CHEOK
I am reading the tutorial at
http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
It states
Remember - you must never rely on the
sessionID sent to your server in the
cookie header ; look only at the
sessionID that your GWT app sends
explicitly in the payload of messages
to your server.
Is it use to prevent http://en.wikipedia.org/wiki/Cross-site_request_forgery#Example_and_characteristics
With this mythology, is it sufficient enough to prevent to above attack?