For a webapp written in Grails I would like to keep track of the current users account. In addition the account-name should be displayed as part of the url.
1) Keep the variable in the session
2) Pass the variable via account parameters
Currently I am experimenting with option 2 which allows me to create URL's like http://app.com/accountname/controller. The drawback is that with every URL I will have to pass the account name along as a variable. This is tedious and error prone.
Is any of the two options preferable? Are there better ways in Grails to achieve this?
Regards,
Jens
I have been using a session variable to keep track of the user's account.
Ie: session.user = userAccount;.
You could set this in your login controller.
A better way to keep track of the user is probably to set a cookie. It will be sent to the server with every request & you can easily read it. Why do you need the account name to be part of the URL? I can't think of a good reason to put the current users account in the URL. What happens when someone copy's & paste a link, and someone else follows it? Can you give some more details on what you're trying to do?
Related
In my Rails App, I made a form_for to allow any visitor to submit their content.
But after submit, I want to ask user, whether they want to register for this site or not.
There are some approach to this:
Redirect after user submits the form, left the initial post anonymous.
Much the same as the first one. But somehow help user to reclaim the post they just make
Store the content in some place first and do not submit. Instead, ask for register. And after register, show the stored content before and ask user to submit again.
Basically, I can implement the 1st method. But it seems just not that good. For the 2nd and 3rd one, I do not know how to reclaim the post or store content beforehand.
Is there a standard way to do this? How can I solve this problem?
For solving the same kind of problem, I chose your 3rd option. For that you can use sessions, it will allow you to keep some information in memory related to a specific connection to your server.
http://guides.rubyonrails.org/action_controller_overview.html#session
There are some ways.
First of all you need to keep in mind that these are different behaviors from which you should chose first and do not let the implementation force you to chose one.
For the second case you can have the id of the post that was created (along with some guarantees that it is an orphan post) and then tweak your register method to also assign a post to a user after creating one.
The Third case can be implemented by storing the post data either to session or to a backend temporary store and retrieve them if needed.
first off all please excuse me if i dont use all the right terminology. I have the URL issue with my rails app. Basically it works but I just find the url to be a bit too "obvious" and maybe a security issue.
example i have a user resource the users show page will go to websitename.com/users/user_id right ? This is probably convention but how do i go about changing that to display something random ? I tried using a secure token (not sure if it was the right thing to do) and sessions are saved in the token but the url is still quite obvious. Authorization works and non-signed in users cant just visit lets say user with id one lol. Please if this dosent make sense I will try and clarify just ask. Thanks.
Edit.
Also can some one explain to me what a token does then, my understanding was instead of saving a user session with the user id and the id hets displayed, a users session was saved in a secure token and the token (generally random string) got displayed. wrong??
You can overwrite the to_param method for your user object. You could then have i.e. a column in the database, where you store a hash that is your param for the object. See also the Rails guides section for that.
Try https://rubygems.org/gems/friendly_id
It allows to have permalinks in urls instead of plain IDs
Guys i'have a question.
I'm currently buiding a wizard that has 5 step's until being completed.
The user starts by the first step where he generates the entry id.
From there on i start passing the id over the url like this:
host.com/{controller}/{view}/{id}
This is how my url looks like after the step1,
------- currently at view step2 passing the id=120
host.com/{controller}/step2/120
This isn't safe because as you know, anyone can change the id and affect other users's entries. Ofc, it can be quickly solved by reading if the authenticated user is proprietary of the entry that he must be trying to access in each view.
Now, my question is... is there a better way to do this?
Any tips for future work?
Is what i'm doing enougth?
(begginer doubt praying for a expert awnser)
Cheers
...It can be quickly solved by reading if the authenticated user is proprietary of the entry that he must be trying to access in each view.
Yes, that's true. You should start there.
Here are some other things that you could do:
You could make your entry ids Guids instead, so that a would-be hacker would never try to guess an entry id.
Because using GET for sensitive data is a bad idea, you could, as endyourif suggests, pass the entry ids with hidden fields instead.
If you are truly concerned about the user altering the ID in the URL, then you must spend the additional time adding an "isOwnedBy" like functionality.
As an additional security measure, you could pass it via a hidden variable in the form so it is at least not as easy to change as well.
Edit: I like #LeffeBrune's suggestion of encrypting the idea as well. However, I still suggest that the validation is performed on the function to ensure the user owns the object. It's just good practice.
For one of my project's (weird) requirements, I want to use cookie less sessions. At the same time, "session.use_trans_sid" can not be turned on :(
Does anybody please let me know if is there any other way out ??
Thanks
Manish
Make a custom session manager that identifies the user based on, for example, IP address and user agent and other identifying factors (as IP+UA might not and probably will not be unique). Another (ugly) solution is to just implement the use_trans_sid functionality yourself by adding a session identifier GET parameter to every link by hand (if it's a small site) or with a hidden form (that's non-standard).
If you really want sessions without cookies, you can always put the SID in all your URLs manually. People used to do this quite a bit. :-)
The only other option is to keep the session data on the client and pass it back and forth to and from the server with each request, although technically that would be a sessionless architecture.
That means that for GETs each link has to be rewritten to include all the session variables, and for POSTs they have to be included as hidden fields.
What does the following line mean?
Put the boolean variable isLogin to your session such that you check the session each time your user goes to the secured site.
I would like to know how you can put a variable to a session. I know at the abstract level that
session is a semi-permanent
interactive information interchange,
also known as a dialogue, a
conversation or a meeting, between two
or more communicating devices, or
between a computer and user
I know that you can store data in a URL by separating variables by the character &.
I know at the abstract level that you need to use post orget and some read -function to check the data in the URL.
I know that cookies are files where you store data, but I have never stored data to them.
Does he mean that I should put the login -variable to the URL or to cookies?
Taking out all the context doesn't make it any easier to answer your question - actually I have to guess that you are talking about php, because it looks like you might be.
Sessions.
Sessions are a way of 'remembering' users for a limited time. Say I visit page A.php on your website first. Now, that website might define an isLoggedIn session variable for me. If a bit later I go to page B.php on your site, that site 'remembers' that variable and can tell what it' s value was.
Sessions and Cookies do have a relation, but that only matters when you want to know how sessions work. This will be important later on as you will need to know the weaknesses of sessions, but first it is important you get to know how to use them.
Before you can use session variables, you must call session_start(), to start a session - this must be called on each page that uses the session variables. Once we have we can simply access the array $_SESSION and all that's in there will be remembered with the session.
Take a look over here to get a more complete explanation and a number of examples.