dev@javaserverfaces.java.net

Re: [2126-FlashDataExploit] request to de-couple issues

From: Edward Burns <edward.burns_at_oracle.com>
Date: Thu, 13 Jun 2013 09:26:44 -0700

>>>>> On Tue, 11 Jun 2013 18:29:12 +0100, Leonardo Uribe <lu4242_at_gmail.com> said:

LU> Hi
LU> This issue calls my attention, because I remember we had discussed it
LU> long time ago.

LU> 2013/6/10 Edward Burns <edward.burns_at_oracle.com>:
>> https://java.net/jira/browse/JAVASERVERFACES-2126
>>
>> I think it would help to separate out the discussion on this issue into
>> two parts.
>>
>> 1. The original intent of the issues: making the Flash more secure
>>

LU> In my opinion, a random number generator like the one used in Apache
LU> Trinidad for its pageFlowScope is enough. The idea here is just make
LU> very difficult to guess the next number in the sequence.

I agree. I applied this to 2126.

>> 2. Whether or not flash depends on the session.
>>
>> related issue:
>>
>> https://java.net/jira/browse/JAVASERVERFACES-1449
>>

LU> Flash scope "must" be stored in the session. The problem is anything
LU> outside session scope will not be replicated or moved between servers
LU> in a cluster. It will only work if only the same web server for the same
LU> web user receives all incoming requests. In my opinion there will not
LU> be any performance improvement, and there is a high chance to create
LU> a memory leak because information stored into session expires after
LU> some time already set, but for all information stored outside session
LU> scope it is necessary to create code that do the same thing.

LU> To make it short:

LU> - Make "flash" scope outside session looks like reinvent the wheel.
LU> - If session is used to store flash scope, the security level is given
LU> by the session token, which is ok. But anyway a random number for
LU> the flash token is a good idea.

LU> Before try 2, it is necessary to have strong evidence that session
LU> storage could be inconvenient, and that other alternative can be
LU> better, but I find it too hard to believe.

LU> regards,

LU> Leonardo Uribe

>> Is it safe to separate these? If so, I can create a new issue for part
>> 2.
>>
>> If I don't hear anything in a few days, that's what I'll do.

I have opened <https://java.net/jira/browse/JAVASERVERFACES-2898> and
applied Leonardo's comments there.

Ed