I read somewhere the view ids used by JSF framework have a happy side effect of acting as request tokens and thus foiling CSRF. Can someone please tell me if this means I dont have to do anything from a programming point of view (ie). As a programmer, if I use JSF I dont have to worry about CSRF?
Is this guaranteed? Some implementations of JSF uses a sequential id that can be guessed by an attacker.
Here's an article describing the Sun JSF-RI doing sequential view id generation instead of the more accepted Java SecureRandom:
http://seamframework.org/Documentation/CrossSiteRequestForgery