Concerns over how Mojarra generates its client window ID were
recently brought to my attention. While the spec appears to be
silent on the issue, Mojarra uses the session ID to build the ID,
and MyFaces uses a secure random. The use of the session ID is of
concern to the reporter here, as that can contribute to session
hijacking attacks, at least in theory. While there ways to
mitigate or reduce those chances, I'd like to eliminate then
altogether.
I have filed an issue
(https://github.com/eclipse-ee4j/mojarra/issues/5375) and put up a
PR (https://github.com/eclipse-ee4j/mojarra/pull/5376). While I
know the PR will be seen eventually, I bring it up here to
highlight that I copied (copyright and all, of course), the
TokenGenerator class that MyFaces uses. If that (or the license,
etc) is an issue, please let me know and I'll work on another
implementation. Since there was an existing open source one with
what I _think_ is a compatible license, I saw no reason for the
exercise (I actually used a potentially naive UUID-based impl to
test with originally). I hope I wasn't wrong. :)
_______________________________________________