myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Marinschek" <martin.marinsc...@gmail.com>
Subject Re: [Tomahawk] saveState security
Date Sun, 09 Sep 2007 18:57:38 GMT
Hi Francisco,

do you use server side state saving? Then the value of t:saveState is
not transferred to the client. Do you use client side state saving?
Then you can switch on encryption for your state.

regards,

Martin

On 9/9/07, Francisco Passos <francisco.passos@gmail.com> wrote:
> Hello all!
>
> I've been wondering how secure saveState actually is.
> To what extent can we trust the values we get back from the client? Are they
> ciphered with a server key so they can't be tampered with until they get
> sent back to the server?
>
> Or should I assume a client can tamper with the serialized bean and change
> its values? That would make me have to retrieve them again from a liable
> source, thus beating the whole purpose of saveState.
>
> I'm an avid user of t:saveState, but I need to know what I can count on.
>
> Thank you,
> Francisco Passos
>


-- 

http://www.irian.at

Your JSF powerhouse -
JSF Consulting, Development and
Courses in English and German

Professional Support for Apache MyFaces

Mime
View raw message