On Wednesday, April 22, 2015 at 6:56:13 AM UTC-7, Anthony wrote: > > It is a different story when building a RESTful API. There would be no >> rendering behavior before form submission, and normally I use state-less >> HTTP basic auth and then purposely turn off session feature. Unless I force >> my api callers to do HTTP POST first, to yet another dedicated "token" api, >> which will issue the token and also store it into some backend storage >> (such as a DB or central key-value service), blah blah. But this sounds not >> "lightweight" at all. >> > You could have the client generate its own unique token with each request > (e.g., a UUID or timestamp) and cache that on the server for some period of > time -- if another request comes in with the same token, then ignore the > request and return an appropriate message (perhaps indicating whether a > previous request was successful, in case the client didn't receive the > success message from an earlier attempt). > > Thanks Anthony. That is a very creative idea indeed! I would try to go one step further, to let the server to calculate a hash based on request.path AND request.vars AND http header date field, so that it would become a universal double-submission protection, WITHOUT needing to change the client side at all. After all, semantics is important in RESTful api, and such UUID is typically not in original api parameters. Of course, all these are based on an assumption that there should never be a need to create 2 fully identical records in one table.
PS: I may not try it anytime soon, because I gonna enable the unique=True (and manually create the unique index for my auth_user table) anyway, and then I got the protection, for free. Still thanks a lot! -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
