Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I read somewhere the view ids used by JSF framework have a happy side effect of acting as request tokens and thus foiling CSRF. Can someone please tell me if this means I dont have to do anything from a programming point of view (ie). As a programmer, if I use JSF I dont have to worry about CSRF?
Is this guaranteed? Some implementations of JSF uses a sequential id that can be guessed by an attacker.
Here’s an article describing the Sun JSF-RI doing sequential view id generation instead of the more accepted Java SecureRandom:
http://seamframework.org/Documentation/CrossSiteRequestForgery