I am developing a web application with GWT and GWTP. I look into the wiki page of GWTP and do the protection against XSRF attacks follow the instruction. It runs ok in the Dev mode.
Now I deployed it to the Tomcat Server. But in the console, it keeps telling me no cookie sent by client in RPC. And the result is no RPC call is able to execute as it is considered to be a XSRF attack.
Could anyone tell me what's wrong with it? Is it because of the Tomcat setting, since the app runs ok in Dev mode.
我认为这不是来自 GWTP,它与您的 Tomcat 有关
Tomcat 7 中的会话和 SSO cookie 默认使用 HttpOnly 标志发送,以指示浏览器阻止从 JavaScript 访问这些 cookie。(这可以在 Tomcat 6.0 和 5.5 中通过在 Web 应用程序或全局 CATALINA_BASE/conf/context.xml 文件中的 Context 元素上设置 useHttpOnly="true" 来启用)。 http://tomcat.apache.org/migration.html#Session_cookie_configuration
所以,检查你的 context.xml 是否是这样的:
<Context cookies="true" useHttpOnly="false" >
<WatchedResource>WEB-INF/web.xml</WatchedResource>
</Context>
是否应该在会话 cookie 上设置 HttpOnly 标志以防止客户端脚本访问会话 ID?默认为真。
更多关于上下文属性