Question
Ok, Here is my scenarios. I manage session at server side, see the following code:
https://stackoverflow.com/questions/21164899
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianHttpSession session = requestProvider.get().getSession();
String userMeaningID=(String)(session.getAttribute("userMeaningID"));
Then I bring the userMeaningID into client website, this code is at clinet
private AsyncCall<PostSignUpResult> postSessionCallback=new AsyncCall<PostSignUpResult>(){
@Override
public void onCustomSuccess(PostSignUpResult result) {
String userMeaningID=result.getUserMeaningID();
if(userMeaningID!=null && isNumber(userMeaningID)){
// user can manipulate info here
}
}
}
so my question is that, is there any risk that hacker somehow pass the fake userMeaningID into result so that result.getUserMeaningID(); will return the fake ID & thus the hacker can play with the data on client. This is not a too big problem cos even they mess up data & send to server, then at server side I double check data again to make sure they valid.
Although all data will be checked at server side before inserting into DB I still want to know
Is there any risk of hacker intercepting the session data that is downloaded into client website in GWT?
If there is a risk then how can we deal with it?
Solution
SSL is only part of the solution since an attacker can still steal a session and send requests to attack your rpc services. Use XSRF token to ensure third parties can't send malicious requests to the rpc services handled by GWT.
The implementation is straightforward. http://www.gwtproject.org/doc/latest/DevGuideSecurityRpcXsrf.html
OTHER TIPS
Well yes, when your network is compromised it is possible for a hacker to intercept data and send you false data (e.g.: Man-in-the-midle-attack). You can protect yourself from such attacks by securing your connection through asynchrous encryption algorithms (e.g. algorithms like a SSL, etc.). The https:// protocol is an example of such a secure connection.
But I wouldn't worry too much about this scenario. Unless you're coding a bank's website or an online nuclear launch controller, this is all overkill for your standard web application.
