[
https://issues.apache.org/jira/browse/TAP5-53?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13149815#comment-13149815
]
Josh Canfield commented on TAP5-53:
-----------------------------------
@Massimo - I'm saying that I don't see the difference between "send pointers
to serialized data to the client, not the data itself" and Http Sessions.
@Martin - "a bit excessive" is a huge understatement. Requiring any user data
on the server for anonymous users is a defect.
> Mechanism to send pointers to serialized data to the client, not the data
> itself
> --------------------------------------------------------------------------------
>
> Key: TAP5-53
> URL: https://issues.apache.org/jira/browse/TAP5-53
> Project: Tapestry 5
> Issue Type: New Feature
> Affects Versions: 5.0.15
> Reporter: Howard M. Lewis Ship
>
> Tapestry has the capability to store much data on the client, whether it is
> persisted page fields, or Form component action data. This presents a couple
> of problems; first, it inflates the size of the rendered HTML stream.
> Second, it is a potential security issue, since a hyper-intelligent black hat
> might find a way to change such data before returning it.
> What if Tapestry stored the associated bytestreams on the server, and
> provided, in the HTML, just a relatively short pointer (a string id that
> points to the correct bytestream) to the stream?
> A small amount of additional data on the server side could be used to
> authenticate the pointer, using the user's session id (if a session exists)
> and host ip.
> Unreferenced data would be periodically purged.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira