[jira] [Commented] (TAP5-53) Mechanism to send pointers to serialized data to the client, not the data itself

Mon, 14 Nov 2011 10:45:15 -0800 

    [ 
https://issues.apache.org/jira/browse/TAP5-53?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13149809#comment-13149809
 ] 

Martin Strand commented on TAP5-53:
-----------------------------------

Requiring a session to use form components seems a bit excessive.
Imagine a popular page with a simple search box, you could end up with a 
zillion useless sessions hanging around for no reason.

As for security, I use a custom ClientDataEncoder to sign all data with an HMAC 
so that it can not be tampered with. Perhaps that should be included in 
Tapestry?

In this respect, the old rewind strategy from Tapestry 4 had its advantages :)
                
> Mechanism to send pointers to serialized data to the client, not the data 
> itself
> --------------------------------------------------------------------------------
>
>                 Key: TAP5-53
>                 URL: https://issues.apache.org/jira/browse/TAP5-53
>             Project: Tapestry 5
>          Issue Type: New Feature
>    Affects Versions: 5.0.15
>            Reporter: Howard M. Lewis Ship
>
> Tapestry has the capability to store much data on the client, whether it is 
> persisted page fields, or Form component action data.  This presents a couple 
> of problems; first, it inflates the size of the rendered HTML stream.  
> Second, it is a potential security issue, since a hyper-intelligent black hat 
> might find a way to change such data before returning it.
> What if Tapestry stored the associated bytestreams on the server, and 
> provided, in the HTML, just a relatively short pointer (a string id that 
> points to the correct bytestream) to the stream?
> A small amount of additional data on the server side could be used to 
> authenticate the pointer, using the user's session id (if a session exists) 
> and host ip.
> Unreferenced data would be periodically purged.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to