forms: copying objects from request to request
I have the following problem: I have a form in dtml documentA where there is some variable x and the user gives some value to x, using the form. The dtml document associated with the action of the form of DocumentA is called DocumentB. If the submit button is pressed, DocumentB is loaded and the variable x is visible from REQUEST. Let's say DocumentB has also a form in it where there is some other variable (but not x). The form in DocumentB has associated with the action another document, called DocumentC. If the submit button is pressed DocumentC is loaded. Variables in form of DocumentB are visible from DocumentC. However, variable x in form of DocumentA is not visible from DocumentC. What should I do, in order to use the value of variable x in DocumentC. I believe I must, somehow, copy the value of x from REQUEST of A to B to the new REQUEST from B to C. ?hanks in advance, Panos Hilaris
hello again,
I believe I must, somehow, copy the value of x from REQUEST of A to B to the new REQUEST from B to C.
you must use a hidden form in DocumentB to transport your variable x from DocumentA to DocumentC. something like this: <input type="hidden" name="x" value="<dtml-var x missing="">"> bye, maik jablonski -- Maik Jablonski Zentrum fuer Lehrerbildung Universitaet Bielefeld Germany
Hi!
you must use a hidden form in DocumentB to transport your variable x from DocumentA to DocumentC.
The more elegant solution is using sessions for that. Like SmartWizards do for example. You'd just store the REQUEST variables you'll need with (in DTML) <dtml-call "SESSION.set('x', REQUEST.['x']">. Hidden forms work fine, but they are a hack. In some cases they even are a security risk: Anybody can open your HTML file with a text editor, manipulate the hidden form values and post the form. I saw this once with a form that changed a user's password. It held the user roles in a hidden form field. So the user could have just sent the form with "Manager" added to the hidden form field to get full system access ... Joachim
On Mon, Jan 28, 2002 at 08:09:15PM +0100, Joachim Werner wrote:
Hi!
you must use a hidden form in DocumentB to transport your variable x from DocumentA to DocumentC.
The more elegant solution is using sessions for that. Like SmartWizards do for example.
You'd just store the REQUEST variables you'll need with (in DTML)
<dtml-call "SESSION.set('x', REQUEST.['x']">.
Hidden forms work fine, but they are a hack. In some cases they even are a security risk: Anybody can open your HTML file with a text editor, manipulate the hidden form values and post the form.
Well, to my mind, sessions are also "just a hack". The problem with sessions is that they require heavier machinery to support, a policy (which is certain to be wrong) about when the session is closed, and a session key, which is as valuable to a determined cracker as the hidden fields are. But lets take these one at a time: 1) heavier machinery: You have to have a per-user repository for sessions. A user can have an arbitrary number of sessions open at once (multiple browser windows). That means the session data can be very large. And that tends to require external databases. External databases and zope play very nicely together indeed, but it is an additional requirement. 2) policy problems: Each use can have an arbitrary number of sessions open. HTTP does not signal when a session should be closed, sessions are thus held in a frozen, and often useless state if a user abandons a session without logging out. This gives you one of two choices -- to time out a session after some amount of time, or to delete all sessions on login. [Logout is more natural, but you have no guarantee that logout will ever occur (the user may simply leave, or the browser crash, etc.)]. Arbitrary timeouts are guaranteed to hurt someone, some time. Login is more interesting, but makes session recovery after a crash more problematic. 3) Session IDs: You have to grant a session ID. How can it be stored? In hidden data! (Or in the functional equivalent of a cookie.) And unless you are encrypting all traffic, these can be sniffed while on the network. This gives a patient attacker plenty of opportunity to assume a session by simply responding to the request more quickly than the actual user. This is something the user is likely to "see", but, I suspect something the user is not likely to report. That is, in some sense, sessions reduce to hidden variables. Look, HTTP is stateless, by design. Sessions are stateful, by design. A stateless and a stateful system are bound to react in odd ways when used together, at least sometimes. Mind you, I am not blindly opposed to sessions; they sometimes make a great deal of sense, and I use them myself. If you have a LOT of data to transfer and several layers of forms, they can make life much easier, as the data does not have to be remarshalled into each form. Also, note that it is not hard to protect hidden variables, people just seldom do. For example, you could take a secret, concatenate the hidden values and calculate a SHA signature of this string. The server sends the hidden variabls, as usual, and also sends this SHA as an additional hidden variable. Now when the server gets the form back, it performs the calculation again. If the returned SHA does not match the newly calculated SHA, then the hidden variables have been tampered with and should be rejected.
I saw this once with a form that changed a user's password. It held the user roles in a hidden form field. So the user could have just sent the form with "Manager" added to the hidden form field to get full system access ...
See above paragraph. Recap: use sessions when you have a lot of data to transfer across forms. Use hidden variables when you have small amounts to move. Sessions are often more secure in practice, not because they are inherently a better idea, but because session authors have often thought the problems through. In either case, if security is a concern, the sessionID and/or any hidden variables should be protected using a digital signature. If you use sessions, be sure that you understand and document the session expiration policy. Jim Penny
Hi!
1) heavier machinery: You have to have a per-user repository for sessions. A user can have an arbitrary number of sessions open at once (multiple browser windows). That means the session data can be very large. And that tends to require external databases. External databases and zope play very nicely together indeed, but it is an additional requirement.
We are talking about a couple of strings, not about storing MP3 files or videos in the session ;-) Zope's built-in session management does not need a database, though it might have limitations for scenarios with lots of large sessions as it will consume quite a lot of memory then.
2) policy problems: Each use can have an arbitrary number of sessions open. HTTP does not signal when a session should be closed, sessions are thus held in a frozen, and often useless state if a user abandons a session without logging out. This gives you one of two choices -- to time out a session after some amount of time, or to delete all sessions on login. [Logout is more natural, but you have no guarantee that logout will ever occur (the user may simply leave, or the browser crash, etc.)]. Arbitrary timeouts are guaranteed to hurt someone, some time. Login is more interesting, but makes session recovery after a crash more problematic.
Are these problems that are really serious? A decent timeout is fine with me.
3) Session IDs: You have to grant a session ID. How can it be stored? In hidden data! (Or in the functional equivalent of a cookie.) And unless you are encrypting all traffic, these can be sniffed while on the network. This gives a patient attacker plenty of opportunity to assume a session by simply responding to the request more quickly than the actual user. This is something the user is likely to "see", but, I suspect something the user is not likely to report. That is, in some sense, sessions reduce to hidden variables.
Not quite. You can do a "man-in-the-middle" attack, yes. But you can do that with every HTTP traffic that doesn't use SSL. And even then, you could sometimes trick the client into encrypting against the key of the "man-in-the-middle", who could then forward the data with his own key used for encryption (though that only works if the user is not careful to read the certificate info). With sessions, the attacker only sees that there is a session. All the data that isn't strictly needed for display at the browser end will stay on the server.
Look, HTTP is stateless, by design. Sessions are stateful, by design. A stateless and a stateful system are bound to react in odd ways when used together, at least sometimes.
Indeed sessions are not perfect. Using multiple browser windows will break some logic of session-based software. But that's the same with non-web software: If I was able to open a new (cloned) window in the middle of a conditional dialog in a Windows program, the program would also get rather confused.
Mind you, I am not blindly opposed to sessions; they sometimes make a great deal of sense, and I use them myself. If you have a LOT of data to transfer and several layers of forms, they can make life much easier, as the data does not have to be remarshalled into each form.
That's the point ...
Also, note that it is not hard to protect hidden variables, people just seldom do. For example, you could take a secret, concatenate the hidden values and calculate a SHA signature of this string. The server sends the hidden variabls, as usual, and also sends this SHA as an additional hidden variable. Now when the server gets the form back, it performs the calculation again. If the returned SHA does not match the newly calculated SHA, then the hidden variables have been tampered with and should be rejected.
I didn't know that one. Sounds reasonable to me.
Recap: use sessions when you have a lot of data to transfer across forms. Use hidden variables when you have small amounts to move. Sessions are often more secure in practice, not because they are inherently a better idea, but because session authors have often thought the problems through. In either case, if security is a concern, the sessionID and/or any hidden variables should be protected using a digital signature. If you use sessions, be sure that you understand and document the session expiration policy.
Fully agreed at the end. I'd also not use sessions if I just had to forward one or two attributes to the next screen ... Joachim
Jim Penny says:
1) heavier machinery: You have to have a per-user repository for sessions. A user can have an arbitrary number of sessions open at once (multiple browser windows). That means the session data can be very large. And that tends to require external databases. External databases and zope play very nicely together indeed, but it is an additional requirement.
The way Zope 2.5 sessions work, if you use cookies, each user only has one session namespace no matter how many browser windows he/she has open. That said, it's true that session data can be large. The default session storage is RAM-based so it's a bad idea to store lots of stuff in it. But you can put an instance of Zope's transient object container into any storage you like -- even one that is persistent, like the "main" FileStorage.
2) policy problems: Each use can have an arbitrary number of sessions open. HTTP does not signal when a session should be closed, sessions are thus held in a frozen, and often useless state if a user abandons a session without logging out. This gives you one of two choices -- to time out a session after some amount of time, or to delete all sessions on login. [Logout is more natural, but you have no guarantee that logout will ever occur (the user may simply leave, or the browser crash, etc.)]. Arbitrary timeouts are guaranteed to hurt someone, some time. Login is more interesting, but makes session recovery after a crash more problematic.
Session policy under 2.5 is one of "data expires after so many (configurable) minutes of disuse or at the developer's command." This is typical of most sessioning systems.
3) Session IDs: You have to grant a session ID. How can it be stored? In hidden data! (Or in the functional equivalent of a cookie.) And unless you are encrypting all traffic, these can be sniffed while on the network. This gives a patient attacker plenty of opportunity to assume a session by simply responding to the request more quickly than the actual user. This is something the user is likely to "see", but, I suspect something the user is not likely to report. That is, in some sense, sessions reduce to hidden variables.
Sure. It's not a good idea to rely on Zope's browser ids as keys which protect information which is actually stuff that you'd want to protect with authentication of some kind (like addresses, and god forbid, credit card numbers).
Look, HTTP is stateless, by design. Sessions are stateful, by design. A stateless and a stateful system are bound to react in odd ways when used together, at least sometimes.
I think of it as sessions trying to lend state to a stateless system. They are indeed a "hack" but they provide a uniform API that at least lets people pretend there's some state, which makes things a bit easier to think about in practice.
Recap: use sessions when you have a lot of data to transfer across forms. Use hidden variables when you have small amounts to move. Sessions are often more secure in practice, not because they are inherently a better idea, but because session authors have often thought the problems through. In either case, if security is a concern, the sessionID and/or any hidden variables should be protected using a digital signature. If you use sessions, be sure that you understand and document the session expiration policy.
I agree: don't rely on sessions or hidden form fields to securely maintain state with sensitive information unless you're communicating over SSL. - C
Panos, Try assigning the variable x to a hidden field in the form on DocumentB. It should then be carried over to DocumentC in the form section of the REQUEST object. Thanks, Steven Grimes Database Engineer sgrimes@acceleratedtechnology.com <mailto:sgrimes@acceleratedtechnology.com> Accelerated Technology, Inc. 720 Oak Circle Drive East Mobile, AL 36609 TEL: 251-661-5770 FAX: 251-661-5788 www.acceleratedtechnology.com <http://www.acceleratedtechnology.com> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Over Ten Years of Providing Embedded Solutions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: zope-admin@zope.org [mailto:zope-admin@zope.org]On Behalf Of Panos Hilaris Sent: Monday, January 28, 2002 12:09 PM To: zope Subject: [Zope] forms: copying objects from request to request I have the following problem: I have a form in dtml documentA where there is some variable x and the user gives some value to x, using the form. The dtml document associated with the action of the form of DocumentA is called DocumentB. If the submit button is pressed, DocumentB is loaded and the variable x is visible from REQUEST. Let's say DocumentB has also a form in it where there is some other variable (but not x). The form in DocumentB has associated with the action another document, called DocumentC. If the submit button is pressed DocumentC is loaded. Variables in form of DocumentB are visible from DocumentC. However, variable x in form of DocumentA is not visible from DocumentC. What should I do, in order to use the value of variable x in DocumentC. I believe I must, somehow, copy the value of x from REQUEST of A to B to the new REQUEST from B to C. ?hanks in advance, Panos Hilaris _______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
participants (6)
-
Chris McDonough -
Jim Penny -
Joachim Werner -
Maik Jablonski -
Panos Hilaris -
Steven Grimes