开发者

Simple security question - how to pass a params-like security code in everyday actions?

开发者 https://www.devze.com 2023-02-16 14:00 出处:网络
I have some situations where I want to be sure that one controller action (or route) can o开发者_开发问答nly be accessed by another controller action and not by being typed in. For example, I have a c

I have some situations where I want to be sure that one controller action (or route) can o开发者_开发问答nly be accessed by another controller action and not by being typed in. For example, I have a couple of 'switchboard' controller actions that resolve internal analytics, set initial values, then send different users off to their respective destinations (each destination has its own controller action).

An example of this situation: a user should only be able to view a record having gone through the switchboard action first.

Is one way to do this would be to involve perishable tokens somehow? (I am using AuthLogic in my app).


I have done something similar using a session. In my case an action had :

session[:boss_attack] = 1

and the other action had :

if session[:boss_attack] != 1
    redirect_to :action => 'index' and return
else
    session[:boss_attack] = 0
end  

And then i would continue with the actual action. It seems to be working fine :)


As @SpyrosP suggested, one option would be to use a session.

To clarify, the session should be a server-side session. If you're using cookie sessions, you should consider another storage method. Rails cookie storage sessions should be secure, but even the docs suggest using another method if you don't want the user to see the data (http://apidock.com/rails/ActionDispatch/Session/CookieStore)

If you use server-side session store (http://apidock.com/rails/ActiveRecord/SessionStore) your risk is reduced considerably. The only thing stored on the client browser is a cookie that maps to a record on the server side. Rails does all the heavy lifting to avoid session hijacking and fixation attacks.

0

精彩评论

暂无评论...
验证码 换一张
取 消

关注公众号