[seam-dev] XSRF and JSF2

Tuesday, 30 September 2008

Because it is back on Slashdot again today, I remembered why the  
"let's automatically build a view if we don't have one in RESTORE VIEW  
phase" proposal in JSF 2.0 was not sitting right with me.

You need a little background on XSRF (Wikipedia or something) and see  
the older discussion here and especially my last comment:

http://www.seamframework.org/Community/IsSeamRemotingVulnerableToCrossSit...

I actually now think that we should have a cryptographically strong  
(and of course mandatory) view identifier for better XSRF protection.  
There are some other solutions worth discussing but AFAIK most of the  
good ones involve a token/session mapping of some kind, so we run into  
the "view has expired" problem again.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

[seam-dev] XSRF and JSF2