Am I correct, that if I pass a self-generated sessionID with every RPC request, and only check this sessionID instead of the one passed in the cookie header, the session can’t be hijacked by malicious sites? I know that you should also send this sessionID in the cookie and then compare it with the one sent with every request to detect an XSRF attack but doing it my way should at least protect against XSRF attacks, doesn’t it?
EDIT
I know that GWT 2.3 takes care of XSRF by providing XSRF Token Support. Sadly I’m stuck with GWT 2.2 and so have to deal with it by myself.
Yes, because the browser doesn’t have enough information to convince your application that it has the right credentials. In a traditional XSRF attack the browser mechanism itself is being exploited and if it doesn’t know how to send the extra information or what information to send then it just won’t work.
However, with this approach, I would be aware that a malicious attacker could still compromise your self-generated sessionID and use it as soon as they figured out the mechanism.
See this wiki page on cryptographic nonce for more ideas. In using the nonce you’re creating something that can only be used for that moment. Once the moment passes the data either becomes useless (in terms of a password salted with a time) or won’t be accepted by the server. This is traditionally used to prevent replay attacks because, if you’ll forgive me, the nonce has passed.