Hi 1.1.5 is too old. Please update to 1.1.8 or upper versions.
See https://wiki.apache.org/myfaces/Secure_Your_Application for details. regards, Leonardo Uribe 2016-12-19 5:44 GMT-05:00 karthik kn <keyan...@gmail.com>: > Hi, > I am using myfaces-1.1.5 and using the following state saving method > > <context-param><param-name>javax.faces.STATE_SAVING_ > METHOD</param-name><param-value>server</param-value></context-param> > > However,i see that the object identifier is being sent to the server as > following > > <input type="hidden" name="javax.faces.ViewState" > id="javax.faces.ViewState" > value="rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAN0 > AAEzcHQAJi9qc3AvaGxyL2FjX3N1YnNjcmliZXIvY3J0U2luZ2xlQUMuanNw" > /></form> > > This is the serialized object identifier sent over the network > > We are using only https and not http. > > Does sending this serialized object identifier without encrypting open any > vulnerability which the attacker could use to his/her advantage ? > > -- > ------------------------- > Thanks & Regards > > Karthik.K.N >