Re: [seam-dev] XSRF and JSF2

Christian, Thanks for brings this to everyone's attention. It's a very critical part of the discussion. I did anticipate this problem when I put forth the idea that the automatic building of a view in restore view should be configurable so that it only applies to certain "stateless" view IDs. For instance, on a login page, you don't have any credentials and are requesting the server to authenticate you, so really the previous view doesn't matter (unless of course there is some auto-login feature enabled). A contact form is another great example. It would be no different than implementing a GET request with a page action. No doubt I am not thinking of some obscure attack, so feel free to cite where my logic is faulty, but I believe there is such a thing as a stateless page. -Dan On Tue, Sep 30, 2008 at 12:01 PM, Christian Bauer <christian.bauer(a)gmail.com&gt; wrote: -- Dan Allen Software consultant | Author of Seam in Action http://mojavelinux.com http://mojavelinux.com/seaminaction NOTE: While I make a strong effort to keep up with my email on a daily basis, personal or other work matters can sometimes keep me away from my email. If you contact me, but don't hear back for more than a week, it is very likely that I am excessively backlogged or the message was caught in the spam filters. Please don't hesitate to resend a message if you feel that it did not reach my attention.