On Dec 3, 2010, at 9:01 AM, mdipierro wrote:
>
> New feature in trunk:
>
> URL('index',args=[],vars={},hash_key='xxx')
>
> the URL will have a _signature attached. The associated controller can
> check for the signature with
>
> def index():
> if not URL.verify(hmac_key='xxx'): ......
> ...
>
> Please test it. In particular we need to test the workflow and see if
> we are missing something useful or doing something wrong.
Perhaps there should be an option to exclude the query string from the hash
calculation. Otherwise we can't sign URLs that are form actions (or that are
similarly used with Ajax).
