Hi, I am using myfaces-1.1.5 and using the following state saving method <context-param><param-name>javax.faces.STATE_SAVING_METHOD</param-name><param-value>server</param-value></context-param>
However,i see that the object identifier is being sent to the server as following <input type="hidden" name="javax.faces.ViewState" id="javax.faces.ViewState" value="rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAN0AAEzcHQAJi9qc3AvaGxyL2FjX3N1YnNjcmliZXIvY3J0U2luZ2xlQUMuanNw" /></form> This is the serialized object identifier sent over the network We are using only https and not http. Does sending this serialized object identifier without encrypting open any vulnerability which the attacker could use to his/her advantage ? -- ------------------------- Thanks & Regards Karthik.K.N
