Bill Lucy created MYFACES-4373: ---------------------------------- Summary: Use SecureRandom for Token Generation Key: MYFACES-4373 URL: https://issues.apache.org/jira/browse/MYFACES-4373 Project: MyFaces Core Issue Type: Bug Reporter: Bill Lucy Assignee: Bill Lucy
We should default to using _java.security.SecureRandom_ instead of _java.util.Random_ for ViewState and CSRF token generation. The default values for the following two props will be updated: org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN to "secureRandom" org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN to "secureRandom" -- This message was sent by Atlassian Jira (v8.3.4#803005)