I read following (https://www.beyondjava.net/jsf-viewstate-and-csrf-hacker-attacks) article about csrf protection in jsf 2.2. It states that the csrf protection only works f
