Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [faces-dev] Client Window ID Issue
Hi,

While licenses are always a concern, it looks like Mojarra already incorporates a few files with this license.

Kind regards,
Arjan Tijms


On Tue, 12 Dec 2023 at 00:16, Jason Lee via faces-dev <faces-dev@xxxxxxxxxxx> wrote:

Concerns over how Mojarra generates its client window ID were recently brought to my attention. While the spec appears to be silent on the issue, Mojarra uses the session ID to build the ID, and MyFaces uses a secure random. The use of the session ID is of concern to the reporter here, as that can contribute to session hijacking attacks, at least in theory. While there ways to mitigate or reduce those chances, I'd like to eliminate then altogether. 

I have filed an issue (https://github.com/eclipse-ee4j/mojarra/issues/5375) and put up a PR (https://github.com/eclipse-ee4j/mojarra/pull/5376). While I know the PR will be seen eventually, I bring it up here to highlight that I copied (copyright and all, of course), the TokenGenerator class that MyFaces uses. If that (or the license, etc) is an issue, please let me know and I'll work on another implementation. Since there was an existing open source one with what I _think_ is a compatible license, I saw no reason for the exercise (I actually used a potentially naive UUID-based impl to test with originally). I hope I wasn't wrong. :)

_______________________________________________
faces-dev mailing list
faces-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/faces-dev

Back to the top