Hi Simon, > I think any of the following (in order of preference) should solve this: > > (1) in web.xml, define init-parameter "org.apache.myfaces.SECRET" to be > some reasonably long string. The server will then use the same > encryption secret after restart (instead of generating a key itself), > and so will be able to decrypt "old" sessions. Tried it, didn't help. > > (2) in web.xml, define init-parameter > "org.apache.myfaces.USE_ENCRYPTION" to be "false", in order to disable > client-side state encryption. Of course this potentially opens a > security hole in the app. Tried it, didn't help. > > (3) use server-side state saving (only client-side state is encrypted) Tried it, didn't help. > </quote>
Felix
