Implications of saving session on the client with javax.faces.STATE_SAVING_METHOD
问题 My first JSF page was throwing javax.faces.application.ViewExpiredException . while I searched I got this solution which solved my problem. <context-param> <param-name>javax.faces.STATE_SAVING_METHOD</param-name> <param-value>client</param-value> </context-param> But I am concerned about the security implication. 回答1: This doesn't save the "session" in client side at all. This only saves the JSF view state in client side. This is in JSF 2.2 always AES-encrypted with a key which is generated