[Zope] URLs expose information which we'd like to hide

J Cameron Cooper xdoclet at jcameroncooper.com
Fri Feb 6 16:54:50 EST 2004


Dennis Allison wrote:

>Dieter, can you elaborate on this a bit.  Passing parameter with the 
>URL (for example,  http://foo.goo.com?p1=v1&p2=v2 ) seems to be locked
>in pretty deeply in the Zope paradigm.  What would be your suggestion?
>
When submitting a form, it makes no difference to Zope the method you 
use. In fact I almost always use POST, save when I want to see the 
parameters for debugging purposes.

Only when you have a link that must provide parameters must you use URL 
parameters. The cases where this is necessary are rare but do exist 
(usually but not always for aesthetic purposes), and in this case, 
there's no way to hide information in the link, though you can try 
various key-based or hashing schemes: see the PasswordResetTool in the 
Collective for such a technique.

          --jcc

-- 
"He who fights with monsters should look to it that he himself does not become a monster. And when you gaze long into an abyss the abyss also gazes into you."




More information about the Zope mailing list