Secure authentication with GWT and GAE over https?

Question

I want to implement a custom user authentication system in my appengine app. I don't want to use sessions. I'm a newbie in this area, so I have two basic questions:

1: Is it secure to just send a username and password with every single RPC over https? What do I need to do to keep that username and password secure on the client end?

2: How do I tell GWT to use https when it makes its requests?

I don't know much about security, so please don't spare me any "obvious" details.

Thanks!

Answer 1

1. Sending username and password over HTTPS is secure, but nobody does this for every request, because some day you may forget/need to send a request through HTTP. Also, keeping password in memory will attract XSS hackers. One unnoticed XSS vulnerability will expose passwords. Usually, developers keep either session-id or XSRF-token in memory and send it with each request.
2. Look at at http://code.google.com/appengine/docs/java/config/webxml.html#Secure_URLs
3. Don't forget about XSRF protection, you need to implement it for requests that change something (not read-only).

Answer 2

Watching the process with firebug shows that all RPCs are happening over the same protocol that the host page was requested with. This seems to be required for same-site-origin rules, so I'm going to assume that my answers are

1: Yes, but it's slower

2: GWT automatically uses https when the host page was requested w/ https

Answer 3

On GAE you can also use Google User Services API http://code.google.com/appengine/docs/java/users/overview.html . It's very intuitive and you won't need to know security details.