> I don't know. It seems like everyone is treating this client state problem > as if it's a new security risk that isn't already there, unless I'm missing > something. People are currently allowed to specify whether they want client > or session based state management for any given property right?
Yeah, but Tapestry should, and does, abstract those concerns away from the normal development. The decision is taken once at the framework level. It is this decision we're questioning. > Does anyone know how any other framework handles these security concerns? > Are we inventing problems that no one else is even addressing or ?.... Nope, we're re-introducing problems that everyone else has already addressed. It is good practice to use a client side key (session-id) for accessing server-side state, the key can be combined with user identity management to ensure that sessions cannot be stolen by manipulation of the key alone (you'd also have to misapproriate the correct user's credentials). I will accept that there may be a class of state which is trivial and might be safely managed by round-trip to the client, but I'm not convinced that it is beneficial. >I'm not as knowledgable in this area, so it would be interesting to know if > anyone out there knows what the right way to do this is.. see above. ;-) d. *************************************************************************** The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient (or responsible for delivery of the message to the intended recipient) please notify us immediately on 0141 306 2050 and delete the message from your computer. You may not copy or forward it or use or disclose its contents to any other person. As Internet communications are capable of data corruption Student Loans Company Limited does not accept any responsibility for changes made to this message after it was sent. For this reason it may be inappropriate to rely on advice or opinions contained in an e-mail without obtaining written confirmation of it. Neither Student Loans Company Limited or the sender accepts any liability or responsibility for viruses as it is your responsibility to scan attachments (if any). Opinions and views expressed in this e-mail are those of the sender and may not reflect the opinions and views of The Student Loans Company Limit ed. This footnote also confirms that this email message has been swept for the presence of computer viruses. ************************************************************************** --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
