currently we are using state saving method as server in the application configuration and all the pages contains unique value on the field "javax.faces.ViewState" & Application submits a serialized object javax.faces.ViewState in a request parameter
how can we avoid vulnerabilities/CSRF attack related to object "javax.faces.ViewState"?
Primeface4.0
JSF 2.0
-<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.USE_ENCRYPTION</param-name>
<param-value>true</param-value>
</context-param>
javax.faces.ViewState vulnerabilities
-
- Posts: 277
- Joined: 08 Jul 2013, 17:53
-
- Posts: 277
- Joined: 08 Jul 2013, 17:53
And by default, ViewState is encrypted anyway.kukeltje wrote:Check stackoverflow... This is not a PrimeFaces issue
-
- Posts: 277
- Joined: 08 Jul 2013, 17:53
But still a lot better than pre-2.0!kukeltje wrote:But in pre 2.2 is was not 100% good
https://java.net/jira/browse/JAVASERVER ... PUBLIC-869
+1smokeybandit wrote:But still a lot better than pre-2.0!kukeltje wrote:But in pre 2.2 is was not 100% good
https://java.net/jira/browse/JAVASERVER ... PUBLIC-869
-
- Information
-
Who is online
Users browsing this forum: No registered users and 55 guests