myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark Struberg (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Commented] (MYFACES-3652) Define default view key algorithm
Date Tue, 20 Nov 2012 11:20:59 GMT

    [ https://issues.apache.org/jira/browse/MYFACES-3652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13501109#comment-13501109
] 

Mark Struberg commented on MYFACES-3652:
----------------------------------------

Hi Leo, thanks for the feedback. 

I did a quick test and while the SessionIdGenerator from tomcat creates a much more unpredictable
value it is also much slower than XorShiftRandom. And currently we encrypt that as well, so
this looks a bit like an overkill to me.

> - the viewId hashcode protects against use one valid key for one view in other view,
But an attacker can easily disable this vector by using the same view for the hack. So this
information is not of stellar use in practice.

I agree that with B we _theoretically_ would not need encryption + mac. But I have my doubts
as well.

Please look at the ThreadsafeXorShiftRandom I committed in 2.2.x. Imo this also creates the
unpredictability we need. Even if the random sequence can be predicted if you know the algorighm
and the former seed value, you actually don't know which thread you will hit next and if there
are requests from different users inbetween. In any case it's way superior than just adding
the viewId which always remains the same.


                
> Define default view key algorithm
> ---------------------------------
>
>                 Key: MYFACES-3652
>                 URL: https://issues.apache.org/jira/browse/MYFACES-3652
>             Project: MyFaces Core
>          Issue Type: Sub-task
>          Components: JSR-344
>    Affects Versions: 2.2.0, 2.1.9
>            Reporter: Mark Struberg
>            Assignee: Mark Struberg
>
> Currently we have a few different viewkey generator implementations. Those got added
only in 2.1.9. Before that the only had a TicketCounter in each Session. 
> The original implementation also had no viewId in the key.
> If you think about it, then it makes no sense at all to add the viewId. Despite it's
an int hashCode we have 2 problems which completely trashes the purpose: 
> a.) hashCode is not guaranteed to be unique
> b.) the hashCode is always the same for the same view.
> Think about an application with only one xhtml page. In that case the viewId would add
no additional info.
> With 4 pages you would only reduce the collision rate to over 25%. Since the application
will most times mainly hit by a few entry points like index.html you gain barely anything
from adding this information.
> IF we have had problems with any collisions, then we shall add an XorShift random generator
instead of the viewId. Leo, I didn't an issue report for such a problem. Do you have any tip
for me where I can find that?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message