I'm looking for a way to obtain the last page requested in coldfusion. Is there a system value I can access to obtain that information? My end goal is to pass that value into a query for DB insertion.
no such system value but I guess you can keep track of it easily by using onRequestStart() in Application.cfc and store the requested page name/path in the Server or Application scope.
Related
hello guys hopefully you guys are willing to work with a newbie I'm working in django and handling a google map (in jscript) which upon displaying a marker I have set a link that is clickable that opens a django url passing data regarding the location of that marker. If that data does not exist in the database I have created a definition in my view that does a check and populates the database with that data if it does not exist. Now the issue here is that what ever you type in for the url parameters ends up becoming populated in the database since there is nothing to validate it against regardless of whether you click in the google map or not. Now what I was looking to do was limit this database addition strictly to when a user clicks on a google map link, what would you guys recommend?
ajax, sessions etc... ? and how to go about it an example per se?
It would be good to have more info.
As a general rule, the http GET method shouldn't be used to change data. In this case, use a POST request, probably through AJAX.
Sloane International Development: Hey guys I just want to know What Is a Persistent Cookie? as I have no idea about this
Please let me know
Persistent cookies – these files stay in one of your browser's subfolders until you delete them manually or your browser deletes them based on the duration period contained within the persistent cookie's file.
Session cookies - these are temporary cookie files, which are erased when you close your browser.
(to see the difference between the two types of Cookies).
Source: http://www.allaboutcookies.org/cookies/cookies-the-same.html
And maybe you want to know what Cookies are/do:
Cookies are usually small text files, given ID tags that are stored on your computer's browser directory or program data subfolders. Cookies are created when you use your browser to visit a website that uses cookies to keep track of your movements within the site, help you resume where you left off, remember your registered login, theme selection, preferences, and other customization functions.The website stores a corresponding file(with same ID tag)to the one they set in your browser and in this file they can track and keep information on your movements within the site and any information you may have voluntarily given while visiting the website, such as email address.
Source: http://www.allaboutcookies.org/cookies/
You should google it next time
I have a website programmed in Django, and as part of the website, I have a view counter for individual pages. However, since I test-view my own files rather often, I don't want to count views that I give to my own pages.
Right now, all I do is that when a specific page is requested, it simply updates a "views" variable in the model for that page by increasing it by 1. This is okay for my own purposes - I don't mind recording multiple views by the same person - but I simply don't want my own views to count.
What ways are there to do this? Please advise.
You can set a temporary cookie variable in your browser.
For example, in Chrome, you can use the following or the Resources tab on the Web Inspector:
browse to website
In browser URL bar, type: javascript:document.cookie="my_app_who_am_i=itsa_me_mario"
and pull it back using some django:
request.COOKIES.get('my_app_who_am_i')
Or if you had sessions setup already on your web server, you could set the cookie only when your account logs in.
response = render_to_response(template_name, context)
response.set_cookie('my_app_who_am_i', 'itsa_me_mario')
return response
You could use session for it. And when the session is for example, admin(you) then, don't count it.
You can add a cookie like "ignore_view" and if the cookie is present you don't increase the counter.
Consider the following scenario:
User searches for something and a list (request.session['List']) is created
User can filter this list via an ajax call
Now the user opens up a new tab, does another search, so now the session variable List is set to the new list for the other search
User goes back to the first tab and filters the results again. This time, the filter results come from the new list in the other tab as the session variable has changed
Is there a way to set different values for a session variable for different tabs? or any other solution for this problem?
There is no easy way to do this and it's not Django specific. Check this question:
How to differ sessions in browser-tabs?.
Session based on cookie will not certainly work as cookie is common between tabs for a specific site. Solutions based on URLs with session or local storage have their own issues and in general this is not a good idea because it adds a complexity that is not required in most cases.
In your case, why don't you store the list as JavaScript data or local storage? In that case each tab has its own data.
The server application identifies your requests and session by your session ID, this means that it does not know about tabs and such. In fact, if you give me your session ID, I will get the same list(see Session Hijacking not to get into such troubles).
That being said, if you really want to do that, you could play around with saving user-agent into your session, or make use of request.is_ajax()
You could have session['List'] = ... and session['List_ajax'] = ...`
Then you whould do:
return session['List_ajax'] if request.is_ajax() else sessoion['List']
I've got a webservice which is executed through javascript (jquery) to retrieve data from the database. I would like to make sure that only my web pages can execute those web methods (ie I don't want people to execute those web methods directly - they could find out the url by looking at the source code of the javascript for example).
What I'm planning to do is add a 'Key' parameter to all the webmethods. The key will be stored in the web pages in a hidden field and the value will be set dynamically by the web server when the web page is requested. The key value will only be valid for, say, 5 minutes. This way, when a webmethod needs to be executed, javascript will pass the key to the webmethod and the webmethod will check that the key is valid before doing whatever it needs to do.
If someone wants to execute the webmethods directly, they won't have the key which will make them unable to execute them.
What's your views on this? Is there a better solution? Do you forsee any problems with my solution?
MORE INFO: for what I'm doing, the visitors are not logged in so I can't use a session. I understand that if someone really wants to break this, they can parse the html code and get the value of the hidden field but they would have to do this regularly as the key will change every x minutes... which is of course possible but hopefully will be a pain for them.
EDIT: what I'm doing is a web application (as opposed to a web site). The data is retrieved through web methods (+jquery). I would like to prevent anyone from building their own web application using my data (which they could if they can execute the web methods). Obviously it would be a risk for them as I could change the web methods at any time.
I will probably just go for the referrer option. It's not perfect but it's easy to implement. I don't want to spend too much time on this as some of you said if someone really wants to break it, they'll find a solution anyway.
Thanks.
Well, there's nothing technical wrong with it, but your assumption that "they won't have the key which will make them unable to execute them" is incorrect, and thus the security of the whole thing is flawed.
It's very trivial to retrieve the value of a hidden field and use it to execute the method.
I'll save you a lot of time and frustration: If the user's browser can execute the method, a determined user can. You're not going to be able to stop that.
With that said, any more information on why you're attempting to do this? What's the context? Perhaps there's something else that would accomplish your goal here that we could suggest if we knew more :)
EDIT: Not a whole lot more info there, but I'll run with it. Your solution isn't really going to increase the security at all and is going to create a headache for you in maintenance and bugs. It will also create a headache for your users in that they would then have an 'invisible' time limit in which to perform actions on pages. With what you've told us so far, I'd say you're better off just doing nothing.
What kind of methods are you trying to protect here? Why are you trying to protect them?
ND
MORE INFO: for what I'm doing, the visitors are not logged in so I can't use a session.
If you are sending a client a key that they will send back every time they want to use a service, you are in effect creating a session. The key you are passing back and forth is functionally no different than a cookie (expect that it will be passed back only on certain requests.) Might as well just save the trouble and set a temporary cookie that will expire in 5 minutes. Add a little server side check for expired cookies and you'll have probably the best you can get.
You may already have such a key, if you're using a language or framework that sets a session id. Send that with the Ajax call. (Note that such a session lasts a bit longer than five minutes, but note also it's what you're using to keep state for the users regular HTPP gets and posts.)
What's to stop someone requesting a webpage, parsing the results to pull out the key and then calling the webservice with that?
You could check the referrer header to check the call is coming from one of your pages, but that is also easy to spoof.
The only way I can see to solve this is to require authentication. If your webpages that call the webservice require the user to be logged in then you can check the that they're logged in when they call the webservice. This doesn't stop other pages from using your webservice, but it does let you track usage more and with some rate limiting you should be able to prevent abuse of your service.
If you really don't want to risk your webservice being abused then don't make it public. That's the only failsafe solution.
Let's say that you generate a key valid from 12.00 to 12.05. At 12.04 i open the page, read it with calm, and at 12.06 i trigger action which use your web service. I'll be blocked from doing so even i'm a legit visitor.
I would suggest to restrain access to web services by http referrer (allow only those from your domain and null referrers) and/or require user authentication for calling methods.