[seam-dev] XSRF and JSF2

Christian Bauer christian.bauer at gmail.com
Tue Sep 30 12:01:48 EDT 2008

Because it is back on Slashdot again today, I remembered why the  
"let's automatically build a view if we don't have one in RESTORE VIEW  
phase" proposal in JSF 2.0 was not sitting right with me.

You need a little background on XSRF (Wikipedia or something) and see  
the older discussion here and especially my last comment:


I actually now think that we should have a cryptographically strong  
(and of course mandatory) view identifier for better XSRF protection.  
There are some other solutions worth discussing but AFAIK most of the  
good ones involve a token/session mapping of some kind, so we run into  
the "view has expired" problem again.

More information about the seam-dev mailing list