Implement client state timeout

[ren-zhijun-oracle]

I ran into an interesting security issue using JSF client-side state saving. Suppose you have simple form with a couple of text fields and a command button. Over time, you discover that link spammers are using your form to promote a pharmacopeia of male enhancement drugs. Being the vigorous Java developer that you are, you decide to add a security component to your form, such as Seam's CAPTCHA implementation, to prevent the advertisement of these superfluous medicines. The link spammers are wily; they don't sit around hitting the submit button each time they want your business. Rather, they have some automated tools that schedule and submit an offline copy of your web page. Now, what happens when the link spammers post an older version of your form, i.e. a snapshot of the view before you added the security component? If you used client-side state saving, the UI component tree was saved along with the HTML, so the link spammer's form submission does not contain the recently added security component! The net result is that, due to client-side state saving, the spammer can now bypass your CAPTCHA security component. I would switch to server-side state saving for security purposes, but some frameworks require client-side state saving.

Potential solution...

Encrypting client state still leaves applications vulnerable to the issue I described. Perhaps an effective solution would be to expire the view state somehow, eg. if the HTTP session associated with the incoming state has expired, throw a servlet exception. I'm sure a date/time token could be added to the encoded view state to track when the view was serialized. Applications could control this via web.xml, for example by specifying the maximum age of the view state before it is considered invalid by the server in way that is similar to how browsers handle expired cookies and digital certificates.

Information obtained from Ian Hlavats on a TSS discussion (http://www.theserverside.com/news/thread.tss?thread_id=46490#237621)

Environment

Operating System: All Platform: All

Affected Versions

[1.2_04]

[ren-zhijun-oracle]

• Issue Imported From: https://github.com/javaserverfaces/mojarra/issues/616
• Original Issue Raised By:@javaserverfaces
• Original Issue Assigned To: @glassfishrobot
• Original Issue Closed By:@javaserverfaces

[ren-zhijun-oracle]

@javaserverfaces Commented Reported by @rlubke

[ren-zhijun-oracle]

@javaserverfaces Commented @rlubke said: Cleaned up description.

[ren-zhijun-oracle]

@javaserverfaces Commented @rlubke said: Created an attachment (id=523) Proposed Changes (ver 1)

[ren-zhijun-oracle]

@javaserverfaces Commented @rlubke said: Fix checked in. Targeted for 1.2_05.

[ren-zhijun-oracle]

@javaserverfaces Commented @rlubke said: reopening to set the proper owner.

[ren-zhijun-oracle]

@javaserverfaces Commented @rlubke said: Assigned.

[ren-zhijun-oracle]

@javaserverfaces Commented @rlubke said: Closing back out.

[ren-zhijun-oracle]

@javaserverfaces Commented @manfredriem said: Closing issue out

[ren-zhijun-oracle]

@javaserverfaces Commented File: changebundle.txt Attached By: @rlubke

[ren-zhijun-oracle]

@javaserverfaces Commented Was assigned to rlubke

[ren-zhijun-oracle]

@javaserverfaces Commented This issue was imported from java.net JIRA JAVASERVERFACES-612

[ren-zhijun-oracle]

@javaserverfaces Commented Marked as fixed on Monday, September 24th 2007, 7:42:24 am