We have a product currently being security tested by a third party, one of the issues they have raised is the method of view state saving. This is their comment
View states are used by web applications to store the state of HTML GUI controls & are stored in hidden client-side input fields. Vendors generally recommend that client-side view states are cryptographically signed and/or encrypted however during testing it was identified that the viewstate wasn’t encrypted nor signed & could be easily viewed - should any sensitive items be stored within the field it may provide an avenue of attack.
Look to enable encryption & a crytographic signature such as a ViewState token.
So my question is should I move the view state to the server side and attempt to cope with the memory issues that may raise or does Richfaces provide encryption of the client view state?
I am aware that myfaces has the option of setting something in the web.xml to force the client view state to be encrypted and was hoping that Richfaces has similar functionality