URL shortening with POST data - url-rewriting

Many services (eg, bit.ly) will shorten URLs, even those w/ GET data,
since that's just part of the URL.
Do any work w/ POST data? In some cases (eg, certain types of CBOE
option quotes), you must POST data to get the information you want.
The service might bring up a page (eg, shorten.com/foo) that has:
<form action="/url/to/post/to">
<input type="hidden" name="var1" value="val1">
...
<input type="submit" value="SUBMIT">
</form>
where the /url/to/post/to and var1/val1/etc are set by the person
creating the shortened URL. It would also say:
"By pressing the button below, you will post this data to this URL:
/url/to/post/to: [list of hidden fields and values]"
Seems useful and easy to do... has anyone done it?

OK, this seems to have degenerated into a moral argument. I'll assume the answer is no, no one has already done this.

I see two big problems:
Who is going to copy / paste the form (often generated by javascript) - Regular users? It would only be open to people with enough technical competence to do it. And it may not do not have the intended effects since some data may be in cookies or held server-side.
Also, post requests are not usually considered an open api for anyone to use. Usually, data is built up over a series of steps with possible use of cookies and login information. Websites are not going to be happy with letting people delete their account or bypass certain pages that are in the normal process flow.

Related

How to keep track of some user data without displaying it in the URL

I'm developing a web app with two languages, German and English. I have implemented searching on my webpage, and I want to keep track of the user's locale when searching.
How can I achieve this:
http://localhost:8080/user/search?search=pax?lang=de
instead of:
http://localhost:8080/user/search?search=pax
In my form I have:
action="/user/search"
I tried
action="<spring:message code="user.search.movie.link"/>
user.search.movie.link = /user/search or /user/search?lang=de
but it doesn't work.
Putting information in URL parameters is good in some cases*, but probably not this one. It seems likely that a user chooses their language setting once, around login time, and then rarely if ever changes it. Or it might even be set automatically. If so, language is something you might want to store in the user's session, or a persistent store like a database if you're using one. You seem to be using Spring, and I don't know a lot about their session handling, but their docs are at https://docs.spring.io/spring-session/docs/current/reference/html5/.
*: for more on this, you might want to read up on the differences between GET requests and POST requests (here's one of many SO posts on the topic). The most relevant part for you is that GETs are the ones that have visible parameters in the URL, but there are lots of other reasons to use one over the other.

Is using if/then in VIEWS a reasonable security practice?

I'm guessing no. Here's the situation I have in mind:
form action='/12345/destroy', method='POST'
- if #current_user.kind_of? Admin
button
- else
span You cant do that
What's the better way to go about constructing a page like this? Create a controller for those "in charge" and have the buttons there? What if the admin chooses to disallow some users from using the delete button, are we back to square one? Thanks
Your example is perfectly fine IMHO, but it really depends on your requirements. If you think that someday there will be the need for more kinds of users and you're afraid the views could get messy, I'd recommend looking into an ACL library. Alternatively you can always roll your own authorization layer.
Your view is fine, but obviously, it is in no way secure. You have to check the privileges in your "controller" (if you have one) or in that request's receiving end.
Also, that logic will probably be used in more than one place. You might consider extracting it into a helper method.
form action='/12345/destroy', method='POST'
= render_destroy_action_for #current_user
Once you have that logic hidden in a method, it will be easier to change later.

how AntiForgeryToken() works in MVC and how to retrieve value at server action method from AntiForgeryToken?

i was reading about AntiForgeryToken but do not understand the actual use or importance. i saw people wrote a code like in their form as
#using (Html.BeginForm("Create", "Register"))
{
#Html.AntiForgeryToken()
}
so what it does....it will generate a unique token and when form will post then this unique toke will pass and as well as a cookie will pass with same unique token value and two unique data will compare at server end that both are equal or not. if not then some tamper occur.
i just do not understand if other form field value change or tamper then how that tampering can be determine. suppose we often store valuable data inside hidden fields. if i need to secure that hidden fields value then how AntiForgeryToken can help us?
can we use AntiForgeryToken to wrap up those valuable data inside it and later compare at server end.
can anyone give me bit of sample code by which i can put 3 valuable data in my page and if tamper then a friendly message will be show to user. guide me how to do it. thanks
The idea behind the AntiForgeryToken is to prevent data being posted from a "fake" source. An attacker using a fake (forged) form can trick the user to submit any kind of data using their current session context. As you can imagine this can do quite a lot of damage.
A way to prevent this is to have a hidden field on your forms containing user specific data(something random) that is stored in the session, so that the bad guys can't forge it. In this case when a user posts the data, but doesn't have the user specific token, you can treat is as being malicious.
I think you have a misconception that the anti forgery token is about detecting whether the data posted has been "tempered" with, which it is not.
Here is more on this.

ajax search form for ColdFusion

I am looking for some technique like search form or form filter.
This is a reference .
It is a hotel finding website.
My question is here, how to use coldfusion to create this kind of searching form with ajax?
Please give me some idea or tips , i will appreciate with you assist !
I have just get some idea on ajax search form with text.
<form>
Search: <input type="text" name="search">
<input type="button" value="Search">
</form>
<cfdiv bind="url:movieresults.cfm?search={search}">
</cfdiv>
In general terms, a search form in CF has the same basic concept as a search form in any other format: you have a form wherein you allow the user to supply search criteria and you have some collection of data to search against. So, you see the actual search form itself is only but a small part of searching. You need to construct the data object you will search against and you need to build the pieces to add to that collection (if necessary) and maintain it. Tossing in the Ajax interface will only complicate matters so I'd recommend you stick with a basic search HTML form and once you've mastered submitting a search, doing the search through your data collection and returning that collection to the user in the form of a useful results page...only then should you consider modifying it to run with an Ajax engine.
A good place to start for how to work with cfindex and cfsearch (Coldfusion's tags that create the data collection and to search against that collection) would be found here.
Walking before running, grasshopper. If you encounter any specific problems, feel free to come back here and we'll see what we can do for you. In the meantime, check out our ColdFusion resources thread. It has a great many links to common CF resources that all CF devs, beginners to experts, need/use to help get the job done.

GET vs POST in Ajax

What is the difference between GET and POST for Ajax requests?
I don't see any difference between those two, except that when I use GET, the parameters are send in URL, which for me don't really make any difference, since all requests are made on background and user doesn't find any difference.
edit:
What are PUT and DELETE methods used for?
GET is designed for getting data from the server. POST (and lesser-known friends PUT and DELETE) are designed for modifying data on the server.
A GET request should never cause data to be removed from an application. If you have a link you can click on with a GET to remove data, then Google spidering your site could click on all your "Delete" links.
The canonical answer can be found here, which quotes the HTML 2.0 spec:
If the processing of a form is idempotent (i.e. it has no lasting
observable effect on the state of the
world), then the form method should be
GET. Many database searches have no
visible side-effects and make ideal
applications of query forms.
If the service associated with the processing of a form has side effects
(for example, modification of a
database or subscription to a
service), the method should be POST.
In your AJAX call, you need to use whatever method your server supports. You should always design your server so that operations that modify data are called by POST/PUT/DELETE. Other comments have links to REST, which generally maps C/R/U/D to "POST or PUT"(Create)/GET(Read)/PUT(Update)/DELETE(Delete).
If you're sending large amounts of data, or sensitive data over HTTPS, you will want to use POST. If it's just a simple parameter, I would use GET.
GET requests have a limit to the amount of data that can be sent. I forget the exact number, but this can cause issues if you're sending anything substantial.
Basically the difference between GET and POST is that in a GET request, the parameters are passed in the URL where as in a POST, the parameters are included in the message body.
Whether its AJAX or not is irrelevant. Its about the action that you're taking. I'd recommend following the principles of REST. Which have further provisions for updating, deleting, etc...
GET requests are easier to exploit in CSRF (cross site request forgery) attacks. Namely fake POST requests require Javascript to be enabled on the user side, while fake GET requests are still possible just with img, script tags.
Many web servers limit the length of the data that can be passed as part of the URL, so the GET request may break in odd ways that are hard to debug.
Also, most server software logs URLs in the access logs, so if you pass sensitive information (such as passwords) in a GET request, this will in all likelihood be written to disk in plaintext.
From a REST perspective, GET requests should have no side-effects -- they shouldn't modify data. So, if you're just GETting a resource by ID, this makes sense, but if you're committing changes to a resource, you should be using PUT, POST, or UPDATE for the http verb.
Both are used to send some data and receive some response using that data.
GET: Get information store in server. Ie. Search, tweet, Person Information. If you want to send information then get request send request using process.php?name=subroto
So it basically send information through url. Url cannot handle more than 2083 char. So for blog post can you remember it is not possible?
POST: Post do same thing as get. User registration, User login, Big data send, Blog Post.
If you need to send secure information then use post or for big data as it not go through url.
AJAX: $.get() and $.post() contain features that are subsets of $.ajax(). It has much configuration.
$.get () method, which is a kind of shorthand for $.Ajax (). When using $.get (), instead of passing in an object, you pass in arguments. At minimum, you’ll need the first two arguments, which are the URL of the file you want to retrieve (i.e. ‘test.txt’) and a success callback.
Summary:
$.get( url [, data ] [, success ] [, dataType ] )
$.post( url [, data ] [, success ] [, dataType ] ) // for sending secure or Large information
$.ajax( url [, settings ] ) // More Configaration
First, general information. Use GET if you only read data, use POST if you change something on database, txt files etc.
But the problem is, some browsers cache GET results. I had problems with AJAX requests in IE7, but at last I found out that browser caches GET results. I rethought the flow and changes my request to POST.
So, don't use GET if you don't want caching.
(Of course you can disable caching in GET operations. But I didn't prefer it)
About me, i prefer POST. I reserve get to the events i know the sent value is limited to data i have the "control", for example, to retreive an item with an id. Example, "getitem?id=123", "deleteImtem?id=123", ... For the other cases, when i have a form fillable by a user, i prefer POST.
Like Ryan Smith have said, it's better to use POST to send a large amount of data, and less wories in cases of the use in others language/special chars (generally all majors javascript framework should'nt have any problems to deal with that but i think is less wories to use POST).
For the REST perspective, in my opinion, you can use this with a new project (to keep a consistency with the entire project).
Finally, maybee some programs used in a network (URL loguers (ie.: to see if the employees lost their time on non-autorised sites, ...) proxys, ... ) or any other kind of tool can intercept the query. Somes will show in the reports the params you have sent with GET, considering it like a different web page. But in this situation, is could be not your problem it's changes from a project to an other! ;)
The difference is the same between GET and POST whether you're using Ajax, HTML forms, or curl. Here are the relevant definitions:
GET
POST
If you are passing on any arguments with characters that can get messed up in the URL (such as spaces), you use POST. Otherwise you can use GET.
Generally, if you're just passing on a few tiny arguments you would use GET. But for passing on user submitted information such as blog entries, text, etc, its a good practice to use POST.
There are also certain frameworks that rely completely on segment based urls (such as site.com/products/133 rather than site.com/products.php?id=333 and these frameworks unset the GET variables for security. In such cases you would use POST allt the time.

Resources