When you are choosing to save state on the client, you are essentially saying that you want state to be sent over the wire and saved on the client in a hidden field. Clearly, this opens the door to potential tampering with the state information. To prevent this from happening, you can specify that the state must be encrypted before it is transmitted to the client.
To specify that state must be encrypted using NetBeans IDE, do the following:
Expand the node of your project in the Projects pane.
Expand the Web Pages and WEB-INF nodes that are under the project node.
After the web.xml file appears in the editor pane, click References at the top of the editor pane.
Expand the Environment Entries node.
In the Add Environment Entry dialog:
Enter com.sun.faces.ClientStateSavingPassword in the Entry Name field.
Select java.lang.String from the Entry Type menu.
To specify that state must be encrypted by editing the deployment descriptor directly, do the following:
Add an env-entry element to your deployment descriptor.
Add an env-entry-name element to the env-entry element and give it the name com.sun.faces.ClientStateSavingPassword.
Add an env-entry-value element to the env-entry element, and give it your password. The password that you provide is used to generate keys and ciphers for encryption.
Add an env-entry-type element and give it the type of your password, which must be java.lang.String.
If your deployment descriptor does not contain this environment entry then no encryption of client-side state will occur.