I've been thinking about this as well. I think the most secure approach will be to store the serialized data in a temporary (embedded or flat file) database on the server, and send just a short, opaque identifier to the client. This has the added benefit of storing significantly less data on the client side (which might allow the use of GET for forms that do no modify externally persistent state).
Certainly, "salting" the identifier with a session id, or other value that uniquely identifies the user, will be important. I can see two different "stores" for this data; one for unidentified visitors that "salts" with the user's IP address, the other that "salts" with the session id. Clustering issues will make this more complex. On 1/20/07, Kent Tong <[EMAIL PROTECTED]> wrote:
Hi, In T5 every form stores a bunch of data on the client in a hidden field. It is mainly serialized action commands to be executed on form submission to restore the states of the form components (eg, element name). This is very convenient and can relieve the component user (eg, the page) from the task of maintaining the state. This is similar to the "view state" in ASP.NET. However, it is a serious security issue as a hacker may modify it to execute any existing code on the server that implements the command interface. One may sign the view state using a key generated in the app. However, a hacker may inject it into any other context (different component, different component context, different user) without modifying it. So, we have to relate this view state to the same component & context (the action URL in the form) and to the same user (the session). Therefore, we may sign the view state+the complete URL using the session ID. As the session will expire in time, this should fight against replay attacks. However, the cost is that whenever we display a form, we will use a session. Any idea? -- Author of a book for learning Tapestry (http://www.agileskills2.org/EWDT) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Howard M. Lewis Ship TWD Consulting, Inc. Independent J2EE / Open-Source Java Consultant Creator and PMC Chair, Apache Tapestry Creator, Apache HiveMind Professional Tapestry training, mentoring, support and project work. http://howardlewisship.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
