Hello Martin. Thank you for your answer.
It raises two more questions though, could you clarify these for me as well? - When using server side state saving, is it kept in the session? and - How does one use encryption for client-side state saving? Regards, Francisco On 9/9/07, Martin Marinschek <[EMAIL PROTECTED]> wrote: > > Hi Francisco, > > do you use server side state saving? Then the value of t:saveState is > not transferred to the client. Do you use client side state saving? > Then you can switch on encryption for your state. > > regards, > > Martin > > On 9/9/07, Francisco Passos <[EMAIL PROTECTED]> wrote: > > Hello all! > > > > I've been wondering how secure saveState actually is. > > To what extent can we trust the values we get back from the client? Are > they > > ciphered with a server key so they can't be tampered with until they get > > sent back to the server? > > > > Or should I assume a client can tamper with the serialized bean and > change > > its values? That would make me have to retrieve them again from a liable > > source, thus beating the whole purpose of saveState. > > > > I'm an avid user of t:saveState, but I need to know what I can count on. > > > > Thank you, > > Francisco Passos > > > > > -- > > http://www.irian.at > > Your JSF powerhouse - > JSF Consulting, Development and > Courses in English and German > > Professional Support for Apache MyFaces >
