You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "yamo (JIRA)" <in...@incubator.apache.org> on 2005/04/05 06:32:17 UTC

[jira] Created: (MYFACES-164) Server-side state should be held

Server-side state should be held
--------------------------------

         Key: MYFACES-164
         URL: http://issues.apache.org/jira/browse/MYFACES-164
     Project: MyFaces
        Type: Improvement
    Versions: 1.0.9 beta    
 Environment: WindowsXP SP2;J2SE1.4.2_07;Tomcat4.1.31
    Reporter: yamo
    Priority: Minor


"When I navigate back to a form that has previously been submitted, using the browser back button, I need to click the submit button twice in order for the form to actually resubmit".
In the mailing list (myfaces-user at 15 Nov 2004), Manfred said "This problem does not exist for client-side state saving".
To be sure, it seems work correctly, but client-side state saving have security problems.
Client-side state is non encrypted data, so users can see the state, and tamper with it.
It is necessary to hold sever-side state like JSF-RI 1.1_01 to use MyFaces for secure application.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira

[jira] Commented: (MYFACES-164) Server-side state should be held

Posted by "yamo (JIRA)" <in...@incubator.apache.org>.

     [ http://issues.apache.org/jira/browse/MYFACES-164?page=comments#action_62155 ]
     
yamo commented on MYFACES-164:
------------------------------

Epexegesis:
Prease see

(MyFaces 1.0.9)
org.apache.myfaces.application.jsp.JspStateManagerImpl#removeSerializedViewFromServletSession

and

(JSF-RI 1.1_01)
com.sun.faces.application.StateManagerImpl#removeViewFromSession


> Server-side state should be held
> --------------------------------
>
>          Key: MYFACES-164
>          URL: http://issues.apache.org/jira/browse/MYFACES-164
>      Project: MyFaces
>         Type: Improvement
>     Versions: 1.0.9 beta
>  Environment: WindowsXP SP2;J2SE1.4.2_07;Tomcat4.1.31
>     Reporter: yamo
>     Priority: Minor

>
> "When I navigate back to a form that has previously been submitted, using the browser back button, I need to click the submit button twice in order for the form to actually resubmit".
> In the mailing list (myfaces-user at 15 Nov 2004), Manfred said "This problem does not exist for client-side state saving".
> To be sure, it seems work correctly, but client-side state saving have security problems.
> Client-side state is non encrypted data, so users can see the state, and tamper with it.
> It is necessary to hold sever-side state like JSF-RI 1.1_01 to use MyFaces for secure application.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira