Hi, After practicing on page param, I found that page param is very nice, especially on its bidirectional. However, I also found a problem when I used it about its security. For example, I list all my friends , then I click on one of them and get page param friendId=?, e.g. fiendId=3. On the url localhost/friendView.xhtml?friendId=3, if I manually change friendId=5 and press Enter from url, I will get person info of id=5, but the person of id=5 is NOT my friend. So how can I prevent this case? (user manually changes page param from url). Thank you very much in advance. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4126181#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...