I'm currently reviewing all this area. It seems that we have quite some stuff to improve.
a.) just a gut feeling yet, but my tummy tells me that we have to review our key generator/storage strategies. Too complicated or too badly documented. At least they are not self describing. b.) candidate 1: CounterKeyFactory. If we like to prevent reboot clashes then we might add another int which contains a random value. Think about having a Server with a single page right now. Click on it a few times, then restart myfaces and issue a few requests to the same page and go back in your browser history. Proposal: instead of the viewId we should add a random number. c.) a general one. We might introduce an own Random which either uses java.util.concurrent.ThreadLocalRandom for java 7++ or the old Random impl. ThreadLocalRandom has a _much_ better performance on servers! Or we just use a simple XORShift which is surely good enough for most cases and performs like hell. The spreading of XORShift is better than the standard Java algorithm even ... d.) KeyFactory looks a bit overengineered. The return type is either Integer or byte [] but the encoded value is always represented as String. e.) Instead of trashing the Session with setAttribute and synchronized blocks we should rather store an AtomicInteger. This is perfectly fine now as we do not support java 1.4 any longer, right? Just a few random ideas... LieGrue, strub
