[web2py] Re: session[id]

Wed, 02 Jan 2013 08:42:41 -0800 

It is not clear to me what you are storing in session.

This:

    id=int(request.args(0))
    account=db(db.nodeAccount.nodeID==id).select(db.nodeAccount.ALL).first()
    ...
    session[id]

looks like a security vulnerability to me. Every user can access any record 
of the table and add to the current session.
Web2py does not sets a limitation but the session can get arbitrarily 
bigger and therefore slower. 




On Wednesday, 2 January 2013 03:10:45 UTC-6, Annet wrote:
>
> My application is completely node ID driven. I have the following router 
> function:
>
> def router():
>     if not len(request.args):
>         redirect(URL('addressbook','index'))
>     else:
>         id=int(request.args(0))
>         
> account=db(db.nodeAccount.nodeID==id).select(db.nodeAccount.ALL).first()
>         if account:
>             if account.statusID!=ACTIVE: # in that case the account is 
> blocked or under maintenance
>                 redirect(URL('card',args=id))
>             elif account.accountID in(FREEACCOUNTID,BASICACCOUNTID):
>                 redirect(URL('vcard',args=id))
>             elif account.accountID==BASICHUBACCOUNTID:
>                 redirect(URL('vhub',args=id))
>             elif account.accountID 
> in(ADVANCEDACCOUNTID,PREMIUMACCOUNTID,ADVANCEDHUBACCOUNTID):
>                 if not session[id]:
>                     session[id]=Storage(id=id)
>                     session[id].accountID=account.accountID
>                     session[id].pluralID=account.pluralID
>                 if account.accountID 
> in(ADVANCEDACCOUNTID,PREMIUMACCOUNTID):
>                     redirect(URL('site','index',args=id))
>                 elif account.accountID==ADVANCEDHUBACCOUNTID:
>                     redirect(URL('hub','index',args=id))
>         else:
>             redirect(URL('card',args=id))
>         return None
>
> In the site.py and hub.py index function I store node's address and 
> telecom addresses, menu, hero unit and some other settings in the node's 
> session[id]
>
> At the moment this works fine. However, with the number of users 
> increasing I wonder whether this is the way to go, is there a limit to what 
> you can store in session?. Most settings change when the user manages a 
> node's data in the CMS.
>
> Address and telecom have their own views: address.html and telecom.html, 
> which are included in other views. Maybe I'd better save address.html and 
> telecom.html in a folder static/node_ID/ when the user changed the data in 
> the CMS.
>
> This is also the case for menu and hero unit.
>
> I look forward to your advice.
>
> Annet
>

--

Reply via email to