Re: [seam-dev] XSRF and JSF2

I really don't see how the problems you cited in the response below have anything to do with a stale view. Sure, I could write a bot that hits a website and does a legitimate and timely postback to submit a contact form over and over. I could also attempt to use someone else's username and attempt to log in to seamframework.org a dozen times and will end up locking their account (if that security measure is enforced). The website just has to be smarter than that. When used appropriately, I still feel there are legitimate times when the view can be built during restore view w/o introducing any more security problems than naturally exist on the web. It would be the same as giving them a fresh view and asking them to enter the exact same data over again and submit it. -Dan On Wed, Oct 1, 2008 at 1:00 PM, Christian Bauer <christian.bauer(a)gmail.com&gt; wrote: -- Dan Allen Software consultant | Author of Seam in Action http://mojavelinux.com http://mojavelinux.com/seaminaction NOTE: While I make a strong effort to keep up with my email on a daily basis, personal or other work matters can sometimes keep me away from my email. If you contact me, but don't hear back for more than a week, it is very likely that I am excessively backlogged or the message was caught in the spam filters. Please don't hesitate to resend a message if you feel that it did not reach my attention.