Regarding the generation of the hash, would s:token also address the possibility of replay attacks? (Where the same request can be sent multiple times without having to modify the contents, but still have a malicious effect). If it doesn't, I would consider looking at also generating a random number when rendering s:token, and that random number is stored on the server viewstate and client side (for each request), and used in calculating the hash. This number would change with each request.<br>
<br> If this is already address issue, please ignore. My knowledge of internal JSF workings (form client ID for example), is limited compared to that of hashing/replay attacks/etc.<br><br>Ashish Tonse<br><br><div class="gmail_quote">
On Wed, Mar 11, 2009 at 10:23 AM, Dan Allen <span dir="ltr"><<a href="mailto:dan.j.allen@gmail.com">dan.j.allen@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Issue created and initial concept patch provided here <a href="https://jira.jboss.org/jira/browse/JBSEAM-4007" target="_blank">https://jira.jboss.org/jira/browse/JBSEAM-4007</a><div><div></div><div class="h5"><br clear="all">
<br>-- <br>Dan Allen<br>Senior Software Engineer, Red Hat | Author of Seam in Action<br>
<br><a href="http://mojavelinux.com" target="_blank">http://mojavelinux.com</a><br><a href="http://mojavelinux.com/seaminaction" target="_blank">http://mojavelinux.com/seaminaction</a><br><br>NOTE: While I make a strong effort to keep up with my email on a daily<br>
basis, personal or other work matters can sometimes keep me away<br>from my email. If you contact me, but don't hear back for more than a week,<br>it is very likely that I am excessively backlogged or the message was<br>
caught in the spam filters. Please don't hesitate to resend a message if<br>you feel that it did not reach my attention.<br>
</div></div><br>_______________________________________________<br>
seam-dev mailing list<br>
<a href="mailto:seam-dev@lists.jboss.org">seam-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/seam-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/seam-dev</a><br>
<br></blockquote></div><br>