I'd be interested in feedback especially from Shane, who had some
questions about Seam Remoting and CSRF. I tried to explain it and show
why/how we have some missing features in this area. I think we need to
do something about it - like per-request tokens. However, we might
want to expand this feature as a general CSRF solution that also works
with the REST request processing, for example. (And Wicket forms?)

This feel off the back of the truck over the holiday break. Thanks for rekindling.
 

Dan, if you could add the current status of "stateless" view
processing in JSF 2.0 to the CSRF page, we can go from there and draft
some recommendations for users.

Every time I visit the JSF EG mailing list, this issue crosses my mind. I will add it to my agenda.

--
Dan Allen
Senior Software Engineer, Red Hat | Author of Seam in Action

http://mojavelinux.com
http://mojavelinux.com/seaminaction

NOTE: While I make a strong effort to keep up with my email on a daily
basis, personal or other work matters can sometimes keep me away
from my email. If you contact me, but don't hear back for more than a week,
it is very likely that I am excessively backlogged or the message was
caught in the spam filters.  Please don't hesitate to resend a message if
you feel that it did not reach my attention.