Kind of general question. I have a web app running on a private network, only to be used by associates. The application runs on three different servers, but for some reason, throws a view state error, whenever workload management causes an open session to jump to a different server. Changing the view state saving method to client did not fix the issue, but doing that in addition to disabling the myfaces core encryption did, which i believe affects save state encryption. Being that this application runs on a private network, I am wondering if it is ok to leave the view states un-encrypted? The forms and submits contain no sensitive data, however, there is a login. No register new user either, only the login, as the credentials are derived from a different source, and that is the only sensitive data. Guidance would be greatly appreciated!To be more, clear, I'm wondering if anyone can explain to me whether or not this is a safe thing to do, and give me a reason as to why it is or is not safe.
If you use MyFaces 2.3.x, you can safely deactivate encryption when using server state saving. Even in public. See: https://issues.apache.org/jira/browse/MYFACES-4133
However i would not turn it off for client side state saving.