Hello Zope-people, I'm writing a LoginManager plugin for a quiz-taking website, and I have cookies which expire after a manager-defined time. If someone's taking a quiz for longer than the cookie duration and their cookie expires, they're going to have to relogin, but I would rather not lose what data they've entered already. I have a separate login page so it can be under SSL, and I adapted the given loginForm and took it's ability to maintain GET data by passing the QUERY_STRING variable onto the login-success page and reconstructing the URL there and redirecting to it. This works great, but I'd rather not limit people to passing things in GET, for various reasons (quiz answers showing up in the browser history, requests being too large, etc.). But I don't know what the variables are beforehand, so I can't just pass them along. Is there any way to pass along all of the POSTed variables through the login page so that I can redirect to the desired page later with the values intact? Is this a lost cause? I don't mind if it would require Python to do it, but is it even possible? I have no idea how to tackle that, but I didn't even know about the QUERY_STRING variable before I saw the LoginManager DTML, so maybe there is hope. Of course, I'm not even sure this would even work HTML-wise, since I don't know a way to pass GET data and do a redirect at the same time. May not be possible (is there a workaround for that?) Oh, and I have absolutely no opinion on Perl ;-) Thanks, Andrew
On Fri, 26 May 2000, Andrew H. Chatham wrote:
This works great, but I'd rather not limit people to passing things in GET, for various reasons (quiz answers showing up in the browser history, requests being too large, etc.). But I don't know what the variables are beforehand, so I can't just pass them along. Is there any way to pass along all of the POSTed variables through the login page so that I can redirect to the desired page later with the values intact? Is this a lost cause? I don't mind if it would require Python to do it, but is it even possible? I have no idea how to tackle that, but I didn't even know about the QUERY_STRING variable before I saw the LoginManager DTML, so maybe there is hope.
I almost got around to doing this for GUF. It would involve interrogating REQUEST.form, and generating a load of hidden controls. One problem to be solved is that in some cases Zope will have messed with your form data before your code sees it (The name="myname:int" notation). It would be possible to handle some of these cases using an external method to interrogate the data type and generate the correct <input type=hidden name="myname:int"> code, but I can't see how to handle :record or :method etc.
Oh, and I have absolutely no opinion on Perl ;-)
We will finally have a way of handling regular expressions without resorting to external methods :-) I can't program in Perl any more. I keep forgetting my semicolons :-( -- Stuart Bishop Work: zen@cs.rmit.edu.au Senior Systems Alchemist Play: zen@shangri-la.dropbear.id.au Computer Science, RMIT
Stuart 'Zen' Bishop wrote:
I almost got around to doing this for GUF. It would involve interrogating REQUEST.form, and generating a load of hidden controls.
One problem to be solved is that in some cases Zope will have messed with your form data before your code sees it (The name="myname:int" notation). It would be possible to handle some of these cases using an external method to interrogate the data type and generate the correct <input type=hidden name="myname:int"> code, but I can't see how to handle :record or :method etc.
Here's a very silly idea: Could you pickle and Base64 encode the data you want to pass, and then shove it in a single hidden control? -- Steve Alexander Software Engineer Cat-Box limited
On Fri, May 26, 2000 at 11:05:23AM +0100, Steve Alexander wrote:
Here's a very silly idea:
Could you pickle and Base64 encode the data you want to pass, and then shove it in a single hidden control?
I am afraid that is a very silly security hole. Anyone can replace that pickle with any other pickle, which the server will then instanciate. Anything goes. I could, for example, pickle up a ZServer Monitor instance that listens on all interfaces, and uses a password known by me. Base64 this pickle, send it to your server, it'll create this instance, ZServer will pick it up (it works that way, I am told), and suddenly, I can step into your Zope process from anywhere, accessing all of the Zope process without restrictions, and having access to your server as whatever user you are running Zope as. So, no, not a good idea. Accepting pickles over the web never is. -- Martijn Pieters | Software Engineer mailto:mj@digicool.com | Digital Creations http://www.digicool.com/ | Creators of Zope http://www.zope.org/ | The Open Source Web Application Server ---------------------------------------------
participants (4)
-
Andrew H. Chatham -
Martijn Pieters -
Steve Alexander -
Stuart 'Zen' Bishop