0

Kind of general question. I have a web app running on a private network, only to be used by associates. The application runs on three different servers, but for some reason, throws a view state error, whenever workload management causes an open session to jump to a different server. Changing the view state saving method to client did not fix the issue, but doing that in addition to disabling the myfaces core encryption did, which i believe affects save state encryption. Being that this application runs on a private network, I am wondering if it is ok to leave the view states un-encrypted? The forms and submits contain no sensitive data, however, there is a login. No register new user either, only the login, as the credentials are derived from a different source, and that is the only sensitive data. Guidance would be greatly appreciated!To be more, clear, I'm wondering if anyone can explain to me whether or not this is a safe thing to do, and give me a reason as to why it is or is not safe.

John W
  • 9
  • 4
  • So you checked if you use the same encryption Key on All servers And that is was the case – Kukeltje Feb 14 '19 at 17:16
  • That I did. They all point to the same .keys. Now I am attempting to verify if there are any repercussions to leaving this as is on a private network. – John W Feb 14 '19 at 18:59
  • I'd personally not leave it unencrypted indefinitly. Maybe for a short period and only over https untill the cause is found (I'd still think it is keys related) – Kukeltje Feb 15 '19 at 18:41

1 Answers1

1

If you use MyFaces 2.3.x, you can safely deactivate encryption when using server state saving. Even in public. See: https://issues.apache.org/jira/browse/MYFACES-4133

However i would not turn it off for client side state saving.

tandraschko
  • 2,291
  • 13
  • 13
  • Hey thanks for the input, however a solution was found for my initial issue here: https://stackoverflow.com/questions/54659014/ Now I no longer need to ponder at the risk. I would like to ask why you would not turn it off for client side saving in a private network, however. – John W Feb 21 '19 at 15:00
  • because private doesnt mean trusted - its a security risk. – tandraschko Feb 21 '19 at 19:09