myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Marinschek" <>
Subject Re: [Tomahawk] saveState security
Date Sun, 09 Sep 2007 18:57:38 GMT
Hi Francisco,

do you use server side state saving? Then the value of t:saveState is
not transferred to the client. Do you use client side state saving?
Then you can switch on encryption for your state.



On 9/9/07, Francisco Passos <> wrote:
> Hello all!
> I've been wondering how secure saveState actually is.
> To what extent can we trust the values we get back from the client? Are they
> ciphered with a server key so they can't be tampered with until they get
> sent back to the server?
> Or should I assume a client can tamper with the serialized bean and change
> its values? That would make me have to retrieve them again from a liable
> source, thus beating the whole purpose of saveState.
> I'm an avid user of t:saveState, but I need to know what I can count on.
> Thank you,
> Francisco Passos


Your JSF powerhouse -
JSF Consulting, Development and
Courses in English and German

Professional Support for Apache MyFaces

View raw message