开发者

Sending a password securely using gwt and app engine?

开发者 https://www.devze.com 2022-12-27 19:26 出处:网络
I set up session handling on a google app project. This is supposed to allow my users to login and maintain state across pages. I just dumped it into the default greeting service to try it out:

I set up session handling on a google app project. This is supposed to allow my users to login and maintain state across pages. I just dumped it into the default greeting service to try it out:

public class GreetingServiceImpl extends RemoteServiceServlet implements GreetingService {
    public void sessionTest(String username) {
        HttpSession session = getThreadLocalRequest().getSession(false);
        session.setAttribute("username", username);
    }
}

then attempting to pull it out in my landing project.jsp page:

<%
String username = null;
HttpSession mysession = request.getSession(false);
if (mysession.getAttribute("username") != null) {
    username = (String)mysession.getAttribute("username");
}
else {
    username = "(开发者_Go百科not logged in yet)";
}

<p>You are: 
<%= username %>
</p>
%>

It works, but I don't know how to send the data in sessionTest() securely. If I were sending the user's password in there too, it would be in the clear.

This would be ok (I think) if I was using https, but google app engine does not allow you to use https under custom domains (like www.mysite.com), they have to be under the (mysite.appspot.com) domain.

I'm kind of stuck here - how do we send passwords securely? If I was using php, I think I could use digest authentication (I'm not too experienced here) - can we do something like that with gwt + gae?

Thanks


Session data is stored on the server, not on the client - only an opaque token is sent to the client, to identify the client's session.

That said, you probably shouldn't store the user's password in the session - why would you want to? - or, indeed, in the clear at all.

0

精彩评论

暂无评论...
验证码 换一张
取 消