Thank you for the reply Chris, Currently I only have Shindig installed. Would I only have to change the token_key and security_token config vars within 'shindig/php/config/container.php' to get a more secure setup going using only Shindig? Or do you recommend installing Partuza?
-Kev On Wed, Apr 29, 2009 at 3:46 PM, Chris Chabot <[email protected]> wrote: > Hey Kevin, > > On Wed, Apr 29, 2009 at 10:16 PM, Kevin Warrington < > [email protected]> wrote: > >> Can you give any guidelines or a resource for secure token generation >> best practices, with Shindig. >> >> Currently, I'm using the generateSecureToken function within >> samplecontainer.js, but would like to know the reasons for why they we >> are sending each field. >> > > The bad news is that the javascript samplecontainer is actually a poor > example for a 'real' implementation, it misses some functionality and > behaviors that you could do when you generate the iframe's, security tokens > and everything else on the server end. > > The good news is that there's actually a decent 'real' example available: > http://code.google.com/p/partuza > > And even better news is that there is some security token documentation > available: > http://www.chabotc.com/partuza/about-partuza-and-shindig-security-tokens/ > > > > >> Also, I have changed the 'default_refresh_interval' and 'cache_time' >> within /php/config/container.php to 60 seconds. I would like to have >> each individual widget cache at different intervals on the Shindig >> server. How can I accomplish this? > > > If your using the trunk version of php-shindig (vs the stable 1.0.x branch), > it'll honor the remote cache control's of every remote resource it > fetches... so the easiest way to control how long certain things are cached > is on the gadget side of things by setting expires and/or max-age headers; > If you'd want to do this in shindig that would be possible too of course, > but that would require some custom coding. > > If you *really* would want to do the later (though I would advice the cache > expires/max-age method instead), you could probably hack this up by editing > the Config::Get function, and change it to something like: > > private static $gadget_tlls; > static function get($key) { > > if (! self::$config) { > self::loadConfig(); > } > // if the config key request is for the cache_time *and* the url query > param is available, check out special ttl list > if ($key == 'cache_time' && isset($_GET['url'])) { > if (! self::$gadget_tlls) { > // do magic to load the per-gadget-url cache times here, ie load it > from file or db > } > return isset(self::$gadget_tlls[$_GET['url']]) ? > self::$gadget_tlls[$_GET['url']] : self::$config[$key]; > } > if (isset(self::$config[$key])) { > return self::$config[$key]; > } else { > throw new ConfigException("Invalid Config Key"); > } > } > > That wouldn't be very efficient, so best add some caching to the per url tll > too, but it would accomplish what your trying to do. > > Hope that helps! > > -- Chris >
