myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leonardo Uribe <>
Subject Re: Add 'Stateless JSF' to MyFaces Core? Is it really necessary?
Date Wed, 19 Jun 2013 23:00:01 GMT

Anyway, "transient" attribute was added in JSF 2.2, but there are not
strong enough reasons to add it to myfaces 2.1.x, which is the main
question of this thread.

Just for the record, there is a small difference when f:view
transient="true" is used. When there is a validation error, since there is
no view state, the previous values of the fields are not saved on the
component tree, but remember those values are sent as request parameters.
It doesn't suppose a problem, but in some cases it is relevant to keep it
in mind. Also, without view state token there is no built-in csrf
protection, but that could not suppose a problem too.

It is good to know how a user expect to use this feature, so I'll keep in
mind it the suggestions.


On Jun 19, 2013 5:48 PM, "Howard W. Smith, Jr." <>

> On Wed, Jun 19, 2013 at 12:15 PM, nabbling1138 <
> >wrote:
> >
> > It has everything to do with avoiding your users experiencing a
> ViewExpired
> > state exception on a trivial form such as a login.
> >
> ViewExpiredExceptions are 'no' longer a concern of mine since I am using
> OmniFaces restoreView component.
> Also, for my home-grown/custom security-n-session-management
> implementation, my login page access @SessionScoped userBean.login, but
> since I've been hearing others advise to use @RequestScoped more than
> @SessionScoped (as much as possible), I am considering changing my
> implementation, so the login page will access @RequestScoped user bean
> instead of @SessionScoped. I am quite sure that that will allow my login
> page to sufficiently/theoretically avoid View Expired exception. I plan to
> try this...when I feel like it, or have bandwidth to do so. :)
> > It is non-intuitive for users to get errors (however you have handled
> them)
> > on simple forms when they went to lunch and came back.
> >
> Agreed. Thank God for OmniFaces restoreView component!
> >
> > Example: Imagine going to your favorite shopping web site. You get
> > interrupted and come back in 30 min - you go to run a search and you get
> > redirected to a friendly but annoying web page or maybe they force you
> back
> > to a page but you loose everything you typed. Awful customer experience!
> >
> Good point/example. I felt the same way while developing my current
> security/session-management implementation (over time). My app is
> definitely no 'shopping web site' and endusers of my app are very
> understanding of a 15-minute-session-timeout limit for security purposes,
> and I would 'only' assume shopping web sites would require/utilize
> @RequestScoped beans anyway. Take for instance Google or search
> engines... Google loves 'history' (and so do I), @RequestScoped bean
> accepts the input of the enduser, and can update 'search history',
> accordingly when user 'come back in 30 min' to his search page and press
> begin the search. :)
> Surely, not rocket science.
> >
> >
> > --
> > View this message in context:
> >
> > Sent from the MyFaces - Users mailing list archive at
> >

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message