Hi, - When using server side state saving, is it kept in the session?
Yep - How does one use encryption for client-side state saving? http://wiki.apache.org/myfaces/Secure_Your_Application Regards, Cagatay Coast Guard On 9/9/07, Francisco Passos <[EMAIL PROTECTED]> wrote: > > Hello Martin. > > Thank you for your answer. > > It raises two more questions though, could you clarify these for me as > well? > > - When using server side state saving, is it kept in the session? > > and > > - How does one use encryption for client-side state saving? > > Regards, > Francisco > > On 9/9/07, Martin Marinschek < [EMAIL PROTECTED]> wrote: > > > > Hi Francisco, > > > > do you use server side state saving? Then the value of t:saveState is > > not transferred to the client. Do you use client side state saving? > > Then you can switch on encryption for your state. > > > > regards, > > > > Martin > > > > On 9/9/07, Francisco Passos < [EMAIL PROTECTED]> wrote: > > > Hello all! > > > > > > I've been wondering how secure saveState actually is. > > > To what extent can we trust the values we get back from the client? > > Are they > > > ciphered with a server key so they can't be tampered with until they > > get > > > sent back to the server? > > > > > > Or should I assume a client can tamper with the serialized bean and > > change > > > its values? That would make me have to retrieve them again from a > > liable > > > source, thus beating the whole purpose of saveState. > > > > > > I'm an avid user of t:saveState, but I need to know what I can count > > on. > > > > > > Thank you, > > > Francisco Passos > > > > > > > > > -- > > > > http://www.irian.at > > > > Your JSF powerhouse - > > JSF Consulting, Development and > > Courses in English and German > > > > Professional Support for Apache MyFaces > > > >
