thank you, now i understand it. On Wednesday, March 27, 2013 5:21:24 PM UTC+4:30, Anthony wrote: > > The user signature is a hash of the URL, and by default this includes the > query string. However, your code uses Javascript to append the query string > after web2py creates the URL and its signature, so once the request is > made, the user signature no longer matches the hash of the full URL > including the query string (note, even when working properly, the > user_signature would not be the same as the HMAC key -- the HMAC key is > simply used as the key to create the hash of the URL). > > If you must append the query string on the client side, then you can > create the user signature excluding the query string via: > > URL(..., user_signature=True, hash_vars=False) > > In this case, though, you will not be able to verify the query string via > the digital signature (i.e., a user could manually change the query string > part of the URL and still have the request verified). See > http://web2py.com/books/default/chapter/29/04#Digitally-signed-urls for > more details. > > Anthony > > On Wednesday, March 27, 2013 6:55:21 AM UTC-4, yashar wrote: >> >> >> here is the link : >> <script> >> window.location.href = >> '{{=URL('CS','close_inqueries',user_signature=True)}}' + '&' + data; >> </script> >> >> and here is the controler: >> def close_inqueries(): >> print request.vars >> print '-'*20 >> print session >> >> and here is the result: >> <Storage {'_signature': '180b1866f14c585f249ee0a3d8b74778e1ff79a0', >> 'Sea-24': 'on'}> >> -------------------- >> <Storage {'_user_agent': {'os': {'name': 'Linux'}, 'is_tablet': False, >> 'is_mobile': False, 'dist': {'name': 'Ubuntu'}, 'browser': {'version': >> '19.0', 'name': 'Firefox'}}, '_auth_next': None, 'flash': None, >> 'user_type': 'CS', 'auth': <Storage {'hmac_key': >> 'bbdd4f5d-2cfa-4ee8-a7b4-c08a3b7874ee', 'remember': False, 'last_visit': >> datetime.datetime(2013, 3, 27, 11, 48, 35, 442411), 'expiration': 3600, >> 'user': <Row {'first_name': 'ali', 'last_name': 'naghi', 'registration_id': >> '', 'email': 'a...@naghi.com', 'reset_password_key': '', >> 'registration_key': '', 'id': 4}>, 'user_groups': {3: 'user_4'}}>, >> 'nickname': 'ali', '_session_hash': 'c55603687a5f7482dda9b0d85a7a78e1', >> '_formkey[login]': 'c8974fec-1b1d-4c47-9f5c-dbd4c765542c'}> >> >> as you see _signature and hmac_key have different values and i think this >> is the reason i get non authorized alert when i add >> @auth.requires_signature() to controller. >> >> what is the correct way to do this? > >
-- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
