1

I have a wizard based screen which allows user to go to next and previous pages. On back or next, I submit the page and save the forms in session using @SessionScoped Managed beans. Functionality works fine if I leave the NUMBER_OF_VIEWS_IN_SESSION to default as 20, but reducing it to below 10 stops the page flow (no error displayed). What is wrong here and How to optimize the size of NUMBER_OF_VIEWS_IN_SESSION? 

 <context-param>
        <param-name>org.apache.myfaces.NUMBER_OF_VIEWS_IN_SESSION</param-name>
        <param-value>1</param-value>
 </context-param>

I am using MyFaces.

ad-inf
  • 1,520
  • 4
  • 30
  • 53
  • 1
    I think default is 20 and not 0. – Ravi Kadaboina Jun 29 '12 at 14:41
  • You should probably read this [answer](http://stackoverflow.com/questions/5474316/why-does-jsf-need-to-save-the-state-of-ui-components-on-the-server-side) by BalusC, as mentioned I think it depends on the number of POST requests you make on your page. – Ravi Kadaboina Jun 30 '12 at 01:58
  • @Ravi: Thanks. Link shared was useful to clear my understanding. My internet facing application is expected to get more than 50k concurrently logged in users during peak hours. Also i have few pages (wizards) accessible to unauthenticated users. Every access to page will add on to size of session and hence susceptible to probable DoS attack. Yes we will setup various hardware to check DoS attacks, but I would like to strengthen the application if feasible. Is it possible to clear certain views from session? Any other suggestion on optimizing this memory usage? – ad-inf Jun 30 '12 at 05:12
  • 1
    I would say instead of messing with the number of views in session. If your myfaces core is 2.0 or higher by default javax.faces.STATE_SAVING_METHOD is set to server and javax.faces.PARTIAL_STATE_SAVING is set to true which means that only part of the changes are saved. More [info](http://stackoverflow.com/questions/4390711/jsf-2-0-partial-session-saving-not-working) . If even this is heavy on your application server set the state_saving_method to client where the view data is encoded and stored in a hidden field on the page. – Ravi Kadaboina Jun 30 '12 at 19:45
  • But beware don't use client side for sensitive sites as they are prone to padding oracle attacks [link](http://static.usenix.org/events/woot10/tech/full_papers/Rizzo.pdf) – Ravi Kadaboina Jun 30 '12 at 19:46
  • Thanks Ravi. It is a sensitive site and bandwidth is also concern, hence cannot use client side. – ad-inf Jun 30 '12 at 20:06

0 Answers0