The user signature is a hash of the URL, and by default this includes the query string. However, your code uses Javascript to append the query string after web2py creates the URL and its signature, so once the request is made, the user signature no longer matches the hash of the full URL including the query string (note, even when working properly, the user_signature would not be the same as the HMAC key -- the HMAC key is simply used as the key to create the hash of the URL).
If you must append the query string on the client side, then you can create the user signature excluding the query string via: URL(..., user_signature=True, hash_vars=False) In this case, though, you will not be able to verify the query string via the digital signature (i.e., a user could manually change the query string part of the URL and still have the request verified). See http://web2py.com/books/default/chapter/29/04#Digitally-signed-urls for more details. Anthony On Wednesday, March 27, 2013 6:55:21 AM UTC-4, yashar wrote: > > > here is the link : > <script> > window.location.href = > '{{=URL('CS','close_inqueries',user_signature=True)}}' + '&' + data; > </script> > > and here is the controler: > def close_inqueries(): > print request.vars > print '-'*20 > print session > > and here is the result: > <Storage {'_signature': '180b1866f14c585f249ee0a3d8b74778e1ff79a0', > 'Sea-24': 'on'}> > -------------------- > <Storage {'_user_agent': {'os': {'name': 'Linux'}, 'is_tablet': False, > 'is_mobile': False, 'dist': {'name': 'Ubuntu'}, 'browser': {'version': > '19.0', 'name': 'Firefox'}}, '_auth_next': None, 'flash': None, > 'user_type': 'CS', 'auth': <Storage {'hmac_key': > 'bbdd4f5d-2cfa-4ee8-a7b4-c08a3b7874ee', 'remember': False, 'last_visit': > datetime.datetime(2013, 3, 27, 11, 48, 35, 442411), 'expiration': 3600, > 'user': <Row {'first_name': 'ali', 'last_name': 'naghi', 'registration_id': > '', 'email': 'a...@naghi.com <javascript:>', 'reset_password_key': '', > 'registration_key': '', 'id': 4}>, 'user_groups': {3: 'user_4'}}>, > 'nickname': 'ali', '_session_hash': 'c55603687a5f7482dda9b0d85a7a78e1', > '_formkey[login]': 'c8974fec-1b1d-4c47-9f5c-dbd4c765542c'}> > > as you see _signature and hmac_key have different values and i think this > is the reason i get non authorized alert when i add > @auth.requires_signature() to controller. > > what is the correct way to do this? -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.