Hi
1.1.5 is too old. Please update to 1.1.8 or upper versions.
See https://wiki.apache.org/myfaces/Secure_Your_Application for details.
regards,
Leonardo Uribe
2016-12-19 5:44 GMT-05:00 karthik kn :
> Hi,
> I am using myfaces-1.1.5 and using the following state saving method
>
> javax.faces.STATE_SAVING_
> METHODserver
>
> However,i see that the object identifier is being sent to the server as
> following
>
> id="javax.faces.ViewState"
> value="rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAN0
> AAEzcHQAJi9qc3AvaGxyL2FjX3N1YnNjcmliZXIvY3J0U2luZ2xlQUMuanNw"
> />
>
> This is the serialized object identifier sent over the network
>
> We are using only https and not http.
>
> Does sending this serialized object identifier without encrypting open any
> vulnerability which the attacker could use to his/her advantage ?
>
> --
> -
> Thanks & Regards
>
> Karthik.K.N
>