Hi Francisco, do you use server side state saving? Then the value of t:saveState is not transferred to the client. Do you use client side state saving? Then you can switch on encryption for your state.
regards, Martin On 9/9/07, Francisco Passos <[EMAIL PROTECTED]> wrote: > Hello all! > > I've been wondering how secure saveState actually is. > To what extent can we trust the values we get back from the client? Are they > ciphered with a server key so they can't be tampered with until they get > sent back to the server? > > Or should I assume a client can tamper with the serialized bean and change > its values? That would make me have to retrieve them again from a liable > source, thus beating the whole purpose of saveState. > > I'm an avid user of t:saveState, but I need to know what I can count on. > > Thank you, > Francisco Passos > -- http://www.irian.at Your JSF powerhouse - JSF Consulting, Development and Courses in English and German Professional Support for Apache MyFaces
