dev@javaserverfaces.java.net

Re: [2126-FlashDataExploit] request to de-couple issues

From: Leonardo Uribe <lu4242_at_gmail.com>
Date: Tue, 11 Jun 2013 18:29:12 +0100

Hi

This issue calls my attention, because I remember we had discussed it
long time ago.

2013/6/10 Edward Burns <edward.burns_at_oracle.com>:
> https://java.net/jira/browse/JAVASERVERFACES-2126
>
> I think it would help to separate out the discussion on this issue into
> two parts.
>
> 1. The original intent of the issues: making the Flash more secure
>

In my opinion, a random number generator like the one used
in Apache Trinidad for its pageFlowScope is enough. The idea here
is just make very difficult to guess the next number in the sequence.

> 2. Whether or not flash depends on the session.
>
> related issue:
>
> https://java.net/jira/browse/JAVASERVERFACES-1449
>

Flash scope "must" be stored in the session. The problem is anything
outside session scope will not be replicated or moved between servers
in a cluster. It will only work if only the same web server for the same
web user receives all incoming requests. In my opinion there will not
be any performance improvement, and there is a high chance to create
a memory leak because information stored into session expires after
some time already set, but for all information stored outside session
scope it is necessary to create code that do the same thing.

To make it short:

- Make "flash" scope outside session looks like reinvent the wheel.
- If session is used to store flash scope, the security level is given
by the session token, which is ok. But anyway a random number for
the flash token is a good idea.

Before try 2, it is necessary to have strong evidence that session
storage could be inconvenient, and that other alternative can be
better, but I find it too hard to believe.

regards,

Leonardo Uribe

> Is it safe to separate these? If so, I can create a new issue for part
> 2.
>
> If I don't hear anything in a few days, that's what I'll do.
>
>
> --