You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Holger Schimanski (JIRA)" <my...@incubator.apache.org> on 2005/09/05 10:28:30 UTC

[jira] Commented: (MYFACES-164) Server-side state should be held

    [ http://issues.apache.org/jira/browse/MYFACES-164?page=comments#action_12322639 ] 

Holger Schimanski commented on MYFACES-164:
-------------------------------------------

The current implementation of server side state saving is useless from our point of view, because it only saves the state of the latest jsp. If you click browser back after a navigation, the view has to be recreated on server side and because of that after restore_view only render_response is called. So no actions etc. are fired. 

In RI the latest state for each jsp is saved. (With config parameter of a max. size of the state cache.) This is a much better approach. 

Can you please reopen this isuue? 

To fix this issue method JspStateManagerImpl.removeSerializedViewFromServletSession(...) should just do nothing. Then there is at least one entry for each jsp in the session. (To have a maximum size would be nicer, but as long as you don't have hundreds of jsps, there should be no problem with no cache size.)

Thanks.

> Server-side state should be held
> --------------------------------
>
>          Key: MYFACES-164
>          URL: http://issues.apache.org/jira/browse/MYFACES-164
>      Project: MyFaces
>         Type: Improvement
>     Versions: 1.0.9m9
>  Environment: WindowsXP SP2;J2SE1.4.2_07;Tomcat4.1.31
>     Reporter: yamo
>     Priority: Minor

>
> "When I navigate back to a form that has previously been submitted, using the browser back button, I need to click the submit button twice in order for the form to actually resubmit".
> In the mailing list (myfaces-user at 15 Nov 2004), Manfred said "This problem does not exist for client-side state saving".
> To be sure, it seems work correctly, but client-side state saving have security problems.
> Client-side state is non encrypted data, so users can see the state, and tamper with it.
> It is necessary to hold sever-side state like JSF-RI 1.1_01 to use MyFaces for secure application.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira