[web2py] Re: Link-pass data to new view via session not on URL
On Oct 25, 4:26 am, Brian M wrote: > It may not be a > concern for your app, but it is something to consider. You raise some very interesting points. I am probably not going to design anything for these kinds of situations right now, simply due to lack of time, but I'll certainly keep it in mind.
[web2py] Re: Link-pass data to new view via session not on URL
If you're looking up off of a session variable, be sure to take into account what might happen if a user happens to have your site open in multiple windows/tabs. What if you've got a client looking for room rates in different tabs for two different dates or rooms trying to do some comparison shopping? They have tab A open with rates for date A and tab B open for rates for date B. They decide that they like offer #5 on tab A and click the link/submit the form. However, the contents of the session have changed since tab A was originally rendered and you now you actually look up offer #5 from tab B and the client gets something completely different than what they wanted. It may not be a concern for your app, but it is something to consider. On Oct 24, 3:35 pm, cjrh wrote: > On Oct 24, 9:48 pm, Brian M wrote: > > > How about include all the calculated values in your form and add in an > > additional field that's a HMAC keyed hash of the others using a key > > that only you know? When the user submits, make sure the rest of the > > field values still combine & hash the same way and then you'll know > > the user hasn't messed with the form. > > Thanks for the comment. It's very clever, but too much work. I am > rather going to keep my calculated values in the server-side session, > and always fetch them from there. The client will only every submit > an index into that server-side hash. I am fairly sure now that this > is the way to go here.
[web2py] Re: Link-pass data to new view via session not on URL
On Oct 24, 9:48 pm, Brian M wrote: > How about include all the calculated values in your form and add in an > additional field that's a HMAC keyed hash of the others using a key > that only you know? When the user submits, make sure the rest of the > field values still combine & hash the same way and then you'll know > the user hasn't messed with the form. Thanks for the comment. It's very clever, but too much work. I am rather going to keep my calculated values in the server-side session, and always fetch them from there. The client will only every submit an index into that server-side hash. I am fairly sure now that this is the way to go here.
[web2py] Re: Link-pass data to new view via session not on URL
On Oct 24, 9:41 pm, Branko Vukelic wrote: > Oh, so ok, I get what you're trying to do now. Don't pass charge > amount around. Charge amount should be one-way. You NEVER, under ANY > circumstances, using ANY technology, expect that amount to come from > client side. Yes, I guess that should have been obvious to me from the start! > The ajax thing you used is readily > readable using any javascript debugger. Yeah, I agree. Through our discussion, it slowly dawned on me during the course of this thread. > If there is a definite correlation between the rates and the final > amount you either > > a. get the amount of service and return the total cost, or Yeah, this is the one. > The best way to do this it probably use a table for unconfirmed > offerings. And move them into confirmed table once confirmation is > done. Ok, that's something I'll think about. However, having also thought about it more myself, I reckon I am going to go with the idea of storing all rows' data in the server-side session before showing the selection page that displays all rows, and passing (from the client) only the user-selected row index to the subsequent controller function, via a form submit. Then, in that controller, I'll look up the other data for the selected row again on the server side using the server-side session, and show the confirmation page with the calculated data again. The quantity of data is going to be small enough that size is no issue (say 30 selectable rows), and this scheme is very simple, hence low likelihood of bugs, and other unforeseen situations. Thanks very much for your help. It is amazing how much an intelligent sounding board helps to clarify thought.
[web2py] Re: Link-pass data to new view via session not on URL
This could be a default feature Let me give it some thought.. On Oct 24, 2:48 pm, Brian M wrote: > How about include all the calculated values in your form and add in an > additional field that's a HMAC keyed hash of the others using a key > that only you know? When the user submits, make sure the rest of the > field values still combine & hash the same way and then you'll know > the user hasn't messed with the form. For that matter you could > probably safely just put it all in the URL's query string since if the > user messes with any part of it you'll know. > > http://docs.python.org/library/hmac.html > > You may even just be able to use web2py's CRYPT() validator. > > On Oct 24, 1:41 pm, cjrh wrote: > > > On Oct 24, 5:03 pm, Branko Vukelic wrote: > > > > * Calculated values are shown, and a form with hidden fields and a > > > submit button labeled 'Confirm' is shown > > > The hidden fields still show in the page source though. A smart user > > could submit his own set of data if he can see what field id's are > > being expected. That's what I want to avoid. There must be no way a > > user can change the charge amount at any stage of the process. > > > I had another idea a short while ago: I'll cache charge amount for all > > the rows (in the server-side session object), and send through (as > > form post data) the identity of the selected row. That way, the next > > controller function will be able to retrieve the appropriate > > calculation result for the selected row, and the user will have no way > > to edit the calculation amount. > > > What do you think? > >
[web2py] Re: Link-pass data to new view via session not on URL
How about include all the calculated values in your form and add in an additional field that's a HMAC keyed hash of the others using a key that only you know? When the user submits, make sure the rest of the field values still combine & hash the same way and then you'll know the user hasn't messed with the form. For that matter you could probably safely just put it all in the URL's query string since if the user messes with any part of it you'll know. http://docs.python.org/library/hmac.html You may even just be able to use web2py's CRYPT() validator. On Oct 24, 1:41 pm, cjrh wrote: > On Oct 24, 5:03 pm, Branko Vukelic wrote: > > > * Calculated values are shown, and a form with hidden fields and a > > submit button labeled 'Confirm' is shown > > The hidden fields still show in the page source though. A smart user > could submit his own set of data if he can see what field id's are > being expected. That's what I want to avoid. There must be no way a > user can change the charge amount at any stage of the process. > > I had another idea a short while ago: I'll cache charge amount for all > the rows (in the server-side session object), and send through (as > form post data) the identity of the selected row. That way, the next > controller function will be able to retrieve the appropriate > calculation result for the selected row, and the user will have no way > to edit the calculation amount. > > What do you think?
Re: [web2py] Re: Link-pass data to new view via session not on URL
On Sun, Oct 24, 2010 at 8:41 PM, cjrh wrote: > On Oct 24, 5:03 pm, Branko Vukelic wrote: >> * Calculated values are shown, and a form with hidden fields and a >> submit button labeled 'Confirm' is shown > > The hidden fields still show in the page source though. A smart user > could submit his own set of data if he can see what field id's are > being expected. That's what I want to avoid. There must be no way a > user can change the charge amount at any stage of the process. Oh, so ok, I get what you're trying to do now. Don't pass charge amount around. Charge amount should be one-way. You NEVER, under ANY circumstances, using ANY technology, expect that amount to come from client side. There is nothing you can do to prevent a skilled hacker from manipulating the data. The ajax thing you used is readily readable using any javascript debugger. If there is a definite correlation between the rates and the final amount you either a. get the amount of service and return the total cost, or b. get the total cost and return the amount of service You can't receive both, and hope it's correct. Period. The best way to do this it probably use a table for unconfirmed offerings. And move them into confirmed table once confirmation is done. Either that or make a confirmation flag in the database, and add expiry date to it so it automatically expires in, say, 24 hours if user doesn't confirm. -- Branko Vukelić bg.bra...@gmail.com stu...@brankovukelic.com Check out my blog: http://www.brankovukelic.com/ Check out my portfolio: http://www.flickr.com/photos/foxbunny/ Registered Linux user #438078 (http://counter.li.org/) I hang out on identi.ca: http://identi.ca/foxbunny Gimp Brushmakers Guild http://bit.ly/gbg-group
[web2py] Re: Link-pass data to new view via session not on URL
On Oct 24, 5:03 pm, Branko Vukelic wrote: > * Calculated values are shown, and a form with hidden fields and a > submit button labeled 'Confirm' is shown The hidden fields still show in the page source though. A smart user could submit his own set of data if he can see what field id's are being expected. That's what I want to avoid. There must be no way a user can change the charge amount at any stage of the process. I had another idea a short while ago: I'll cache charge amount for all the rows (in the server-side session object), and send through (as form post data) the identity of the selected row. That way, the next controller function will be able to retrieve the appropriate calculation result for the selected row, and the user will have no way to edit the calculation amount. What do you think?
Re: [web2py] Re: Link-pass data to new view via session not on URL
On Sun, Oct 24, 2010 at 4:43 PM, cjrh wrote: > The datum in my case is a room rate that a client must pay. > Recalculation is somewhat complicated, and I had hoped to avoid a > recalculation and just pass the already-calculated value to the > "confirmation" page. I cannot let that be part of the URL for obvious > reasons, and I suspect having it appear in postdata will also be > problematic. One the first page, the user select one of many rates. > In the following page, I ask for confirmation. How to get the > previously-calculated rate over to the confirmation page? Here's how I'd do it. # PAGE 1 * Users enters the desired options # SERVER-SIDE * Values are calculated and fed into a template # PAGE 2 * Calculated values are shown, and a form with hidden fields and a submit button labeled 'Confirm' is shown # SERVER-SIDE * The submitted values are entered in a database and fed into the thank-you page template # PAGE 3 * Thank you message with calculated data again and optional "Nah, I was jist kiddin'" button. -- Branko Vukelić bg.bra...@gmail.com stu...@brankovukelic.com Check out my blog: http://www.brankovukelic.com/ Check out my portfolio: http://www.flickr.com/photos/foxbunny/ Registered Linux user #438078 (http://counter.li.org/) I hang out on identi.ca: http://identi.ca/foxbunny Gimp Brushmakers Guild http://bit.ly/gbg-group
[web2py] Re: Link-pass data to new view via session not on URL
On Oct 24, 4:43 pm, cjrh wrote: > So as I said, looks like the safest is for me to simply calculate the > rate again. On the server-side, I mean. Dunno if that was clear.
[web2py] Re: Link-pass data to new view via session not on URL
On Oct 24, 4:29 pm, Branko Vukelic wrote: > Since > you say the data is already in the table on the page, there's no point > in trying to hide it, especially since POST isn't really hiding > anything if someone really wants to get ahold of request data. The datum in my case is a room rate that a client must pay. Recalculation is somewhat complicated, and I had hoped to avoid a recalculation and just pass the already-calculated value to the "confirmation" page. I cannot let that be part of the URL for obvious reasons, and I suspect having it appear in postdata will also be problematic. One the first page, the user select one of many rates. In the following page, I ask for confirmation. How to get the previously-calculated rate over to the confirmation page? Probably the safest is for me to calculate it again, I guess. FWIW I solved my state problem with a form post, as you suggested: def testajax2(): rows=[] for i in range(10): rows.append( TR( 'A cottage on the river','','','', INPUT(_name='b'+str(i), _value='Book Now!', _type='submit', _onclick=XML( "$('#choice').val('" + str(i) + "'); $ ('#disposition').val('" + str(i*10) + "'); $('#weaponry').val('" + str(i*100) + "')")) ) ) return dict(form=FORM( INPUT(_name='choice', _id='choice', _type='hidden', value='0'), INPUT(_name='disposition', _id='disposition', _type='hidden', value='0'), INPUT(_name='weaponry', _id='weaponry', _type='hidden', value='0'), TABLE(rows), _action=URL(f=showme) ) ) There are a bunch of submit buttons in one form which contains a table with many rows. The onclick event of the submit button sets the values of three hidden input fields in the form. My previous javascript attempts would be no safer anyway, because the setter URL would still have been visible in the page source. So as I said, looks like the safest is for me to simply calculate the rate again.
Re: [web2py] Re: Link-pass data to new view via session not on URL
On Sun, Oct 24, 2010 at 4:16 PM, cjrh wrote: > I want to know if there is a way to get data to go from a page to a > controller function via an HTTP link, rather than using a form, and > without showing that data on the URL. AFAIK, you only get to use two HTTP methods (regardless of whether AJAX is involved or not): GET and POST. GET uses query params to pass around values (in the URL as you say), and POST sends them inside the request. There are no other options. At any length, web is stateless. It means that the server-side doesn't have to know what the user was doing on the previous page when processing a request. This implies that everything you have to know when server is processing a request, has to be made available to the server at the time request is made. Fighting that is time-consuming, and usually not a very good idea. In your case, the best way is actually number 1: use GET. This results in a single request, and that's how HTTP is supposed to work. Since you say the data is already in the table on the page, there's no point in trying to hide it, especially since POST isn't really hiding anything if someone really wants to get ahold of request data. -- Branko Vukelić bg.bra...@gmail.com stu...@brankovukelic.com Check out my blog: http://www.brankovukelic.com/ Check out my portfolio: http://www.flickr.com/photos/foxbunny/ Registered Linux user #438078 (http://counter.li.org/) I hang out on identi.ca: http://identi.ca/foxbunny Gimp Brushmakers Guild http://bit.ly/gbg-group
[web2py] Re: Link-pass data to new view via session not on URL
On Oct 24, 3:23 pm, Branko Vukelic wrote: > It might help if you could show us the table. I'm still not sure I > understand what you're trying to do. There are three ways (that I know of) to get data to be available in successive controller functions: 1) Pass it on the URL as arguments 2) Write it to the session object 3) Pass it as form post params In (1), the data is visible to the user. In (3), you need to use a form with a submit button. In (2), you can't populate the session object through the act of the user clicking on a link to the next page. Now it turns out that you can actually do (2), using javascript as I explained in earlier posts. But it requires two HTTP requests, and seems somehow "the long way round". I want to know if there is a way to get data to go from a page to a controller function via an HTTP link, rather than using a form, and without showing that data on the URL.
Re: [web2py] Re: Link-pass data to new view via session not on URL
On Sun, Oct 24, 2010 at 12:16 PM, cjrh wrote: > It all now works as expected, however, I remain unsure about this as a > viable strategy anyway. I would love to hear about best practice here. It might help if you could show us the table. I'm still not sure I understand what you're trying to do. -- Branko Vukelić bg.bra...@gmail.com stu...@brankovukelic.com Check out my blog: http://www.brankovukelic.com/ Check out my portfolio: http://www.flickr.com/photos/foxbunny/ Registered Linux user #438078 (http://counter.li.org/) I hang out on identi.ca: http://identi.ca/foxbunny Gimp Brushmakers Guild http://bit.ly/gbg-group
[web2py] Re: Link-pass data to new view via session not on URL
On Oct 24, 1:56 am, cjrh wrote: > Would I have to use javascript? > > My tests below doesn't seem to permanently update the session object > inside setnum(), even though request.args does contain the number sent > by ajax. Inside showme(), the session value is default once again, > making me thing the cookies are somehow required in the ajax call. Ok, I was wrong. Everything does work as expected, provided you do the following: A( 'Click Me', _href=URL(f='showme'), _onclick=XML("$.ajax({url: 'setnum/" + str(i) + "', async: false})") ) The trick there is the "async: false". My problem was a race between the ajax session update (inside controller function setnum) versus the page display of session status in controller function showme(). It all now works as expected, however, I remain unsure about this as a viable strategy anyway. I would love to hear about best practice here.
[web2py] Re: Link-pass data to new view via session not on URL
On Oct 24, 2:20 am, Branko Vukelic wrote: > How is the data 'associated' with the link? Say I have a table of 10 items. In each row, there is a link to the same URL. However, I want to access row-specific data in the target controller function, without supplying that data through the URL itself. This suggests to me "use the session object", but the problem is that I don't know how to store something in the session when a link is clicked. Alternatively, I guess I could use a separate FORM on each row of the table, and use a form button instead of a link (then I could access request.vars). Is my question clear? I am new to web programming so I don't know have all the domain jargon correct yet.
Re: [web2py] Re: Link-pass data to new view via session not on URL
On Sun, Oct 24, 2010 at 2:17 AM, cjrh wrote: > On Oct 24, 1:56 am, cjrh wrote: >> My tests below doesn't seem to permanently update the session object >> inside setnum(), even though request.args does contain the number sent >> by ajax. > > Ok, I figured out that the $.ajax() call doesn't send a cookie, so the > session object inside setnum() is an entirely new one, not the one we > want to update. I still want to know how to get data through to a new > page via a link (as opposed to a form), and without using data on the > URL How is the data 'associated' with the link? -- Branko Vukelić bg.bra...@gmail.com stu...@brankovukelic.com Check out my blog: http://www.brankovukelic.com/ Check out my portfolio: http://www.flickr.com/photos/foxbunny/ Registered Linux user #438078 (http://counter.li.org/) I hang out on identi.ca: http://identi.ca/foxbunny Gimp Brushmakers Guild http://bit.ly/gbg-group
[web2py] Re: Link-pass data to new view via session not on URL
On Oct 24, 1:56 am, cjrh wrote: > My tests below doesn't seem to permanently update the session object > inside setnum(), even though request.args does contain the number sent > by ajax. Ok, I figured out that the $.ajax() call doesn't send a cookie, so the session object inside setnum() is an entirely new one, not the one we want to update. I still want to know how to get data through to a new page via a link (as opposed to a form), and without using data on the URL