incubator-esme-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hirsch, Richard" <richard.hir...@siemens.com>
Subject Token Problem in browser-based clients
Date Wed, 04 Feb 2009 07:17:06 GMT
Currently, the ESME login requires a token. This is no problem when
using Java, C#, etc. However, in clients that are based in the browser
(such as pure-JavaScript clients -
http://code.google.com/p/esmeproject/wiki/PureJavascript_messaging_clien
t), the token is visible in the HTML source code. Obviously, this isn't
very secure.

In the quest to use the long-polling features of the browser without
revealing the token, we've been exploring various alternatives. We've
tried logging-in via java,  rewriting the JSESSIONID cookie to the
browser and then using this cookie in subsequent REST API calls. This
attempt failed inasmuch as ESME didn't accept the java-based session
cookie for the JavaScript-based REST API calls.

Anyone have any other ideas to deal with this issue?

D. 


Mime
View raw message