>>>>> On Tue, 11 Jun 2013 18:29:12 +0100, Leonardo Uribe <lu4242_at_gmail.com> said:
LU> Hi
LU> This issue calls my attention, because I remember we had discussed it
LU> long time ago.
LU> 2013/6/10 Edward Burns <edward.burns_at_oracle.com>:
>> https://java.net/jira/browse/JAVASERVERFACES-2126
>>
>> I think it would help to separate out the discussion on this issue into
>> two parts.
>>
>> 1. The original intent of the issues: making the Flash more secure
>>
LU> In my opinion, a random number generator like the one used in Apache
LU> Trinidad for its pageFlowScope is enough. The idea here is just make
LU> very difficult to guess the next number in the sequence.
I agree. I applied this to 2126.
>> 2. Whether or not flash depends on the session.
>>
>> related issue:
>>
>> https://java.net/jira/browse/JAVASERVERFACES-1449
>>
LU> Flash scope "must" be stored in the session. The problem is anything
LU> outside session scope will not be replicated or moved between servers
LU> in a cluster. It will only work if only the same web server for the same
LU> web user receives all incoming requests. In my opinion there will not
LU> be any performance improvement, and there is a high chance to create
LU> a memory leak because information stored into session expires after
LU> some time already set, but for all information stored outside session
LU> scope it is necessary to create code that do the same thing.
LU> To make it short:
LU> - Make "flash" scope outside session looks like reinvent the wheel.
LU> - If session is used to store flash scope, the security level is given
LU> by the session token, which is ok. But anyway a random number for
LU> the flash token is a good idea.
LU> Before try 2, it is necessary to have strong evidence that session
LU> storage could be inconvenient, and that other alternative can be
LU> better, but I find it too hard to believe.
LU> regards,
LU> Leonardo Uribe
>> Is it safe to separate these? If so, I can create a new issue for part
>> 2.
>>
>> If I don't hear anything in a few days, that's what I'll do.
I have opened <
https://java.net/jira/browse/JAVASERVERFACES-2898> and
applied Leonardo's comments there.
Ed