[
https://issues.apache.org/jira/browse/MYFACES-3652?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13501109#comment-13501109
]
Mark Struberg commented on MYFACES-3652:
----------------------------------------
Hi Leo, thanks for the feedback.
I did a quick test and while the SessionIdGenerator from tomcat creates a much
more unpredictable value it is also much slower than XorShiftRandom. And
currently we encrypt that as well, so this looks a bit like an overkill to me.
> - the viewId hashcode protects against use one valid key for one view in
> other view,
But an attacker can easily disable this vector by using the same view for the
hack. So this information is not of stellar use in practice.
I agree that with B we _theoretically_ would not need encryption + mac. But I
have my doubts as well.
Please look at the ThreadsafeXorShiftRandom I committed in 2.2.x. Imo this also
creates the unpredictability we need. Even if the random sequence can be
predicted if you know the algorighm and the former seed value, you actually
don't know which thread you will hit next and if there are requests from
different users inbetween. In any case it's way superior than just adding the
viewId which always remains the same.
> Define default view key algorithm
> ---------------------------------
>
> Key: MYFACES-3652
> URL: https://issues.apache.org/jira/browse/MYFACES-3652
> Project: MyFaces Core
> Issue Type: Sub-task
> Components: JSR-344
> Affects Versions: 2.2.0, 2.1.9
> Reporter: Mark Struberg
> Assignee: Mark Struberg
>
> Currently we have a few different viewkey generator implementations. Those
> got added only in 2.1.9. Before that the only had a TicketCounter in each
> Session.
> The original implementation also had no viewId in the key.
> If you think about it, then it makes no sense at all to add the viewId.
> Despite it's an int hashCode we have 2 problems which completely trashes the
> purpose:
> a.) hashCode is not guaranteed to be unique
> b.) the hashCode is always the same for the same view.
> Think about an application with only one xhtml page. In that case the viewId
> would add no additional info.
> With 4 pages you would only reduce the collision rate to over 25%. Since the
> application will most times mainly hit by a few entry points like index.html
> you gain barely anything from adding this information.
> IF we have had problems with any collisions, then we shall add an XorShift
> random generator instead of the viewId. Leo, I didn't an issue report for
> such a problem. Do you have any tip for me where I can find that?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
