How do I pass data using sessions in Ruby CGI? - ruby

I am working on a guess-a-number game with Ruby that will be online. I know I need to pass the SESSION somehow to keep the number that they are guessing, but I have tried a ton of methods with no luck. My code is here.
Any thoughts on what I can do get this code working? I have declared each of my sections.

A session is, usually, a combination of a cookie (session cookie), or some session id tacked onto the url, which has some unique identification of the current "session" and a way to save the data on the server and retrieve it when given the id from the cookie.
So I would set a cookie based on for example ip + Time.now.to_i and then save that ID and the values I want set into a database or a text file on the hard drive. Note that there is probably a lot better ways to create a unique ID but aim for the simple stuff first. :)
I also recommend that you look into CGI::Session which you require with require 'cgi/session'.

Related

How to keep track of some user data without displaying it in the URL

I'm developing a web app with two languages, German and English. I have implemented searching on my webpage, and I want to keep track of the user's locale when searching.
How can I achieve this:
http://localhost:8080/user/search?search=pax?lang=de
instead of:
http://localhost:8080/user/search?search=pax
In my form I have:
action="/user/search"
I tried
action="<spring:message code="user.search.movie.link"/>
user.search.movie.link = /user/search or /user/search?lang=de
but it doesn't work.
Putting information in URL parameters is good in some cases*, but probably not this one. It seems likely that a user chooses their language setting once, around login time, and then rarely if ever changes it. Or it might even be set automatically. If so, language is something you might want to store in the user's session, or a persistent store like a database if you're using one. You seem to be using Spring, and I don't know a lot about their session handling, but their docs are at https://docs.spring.io/spring-session/docs/current/reference/html5/.
*: for more on this, you might want to read up on the differences between GET requests and POST requests (here's one of many SO posts on the topic). The most relevant part for you is that GETs are the ones that have visible parameters in the URL, but there are lots of other reasons to use one over the other.

how AntiForgeryToken() works in MVC and how to retrieve value at server action method from AntiForgeryToken?

i was reading about AntiForgeryToken but do not understand the actual use or importance. i saw people wrote a code like in their form as
#using (Html.BeginForm("Create", "Register"))
{
#Html.AntiForgeryToken()
}
so what it does....it will generate a unique token and when form will post then this unique toke will pass and as well as a cookie will pass with same unique token value and two unique data will compare at server end that both are equal or not. if not then some tamper occur.
i just do not understand if other form field value change or tamper then how that tampering can be determine. suppose we often store valuable data inside hidden fields. if i need to secure that hidden fields value then how AntiForgeryToken can help us?
can we use AntiForgeryToken to wrap up those valuable data inside it and later compare at server end.
can anyone give me bit of sample code by which i can put 3 valuable data in my page and if tamper then a friendly message will be show to user. guide me how to do it. thanks
The idea behind the AntiForgeryToken is to prevent data being posted from a "fake" source. An attacker using a fake (forged) form can trick the user to submit any kind of data using their current session context. As you can imagine this can do quite a lot of damage.
A way to prevent this is to have a hidden field on your forms containing user specific data(something random) that is stored in the session, so that the bad guys can't forge it. In this case when a user posts the data, but doesn't have the user specific token, you can treat is as being malicious.
I think you have a misconception that the anti forgery token is about detecting whether the data posted has been "tempered" with, which it is not.
Here is more on this.

Couchdb conceptual problems

As I understand, to update any object with couchdb. I have to send the whole object back since it is actually "inserting" a new revision for the same id. This is all neat and works quite well.
But then I have a problem, I'm not so sure how should I handle that. I have an object that can't be sent to my user completely. I have to hide certain informations such as password hash.
The data is sent to the client, the revision is sent too. Now when I try to update my object I have one problem. Since some data is missing, the update will erase the attributes that are missing from my user.
That said, the easiest way I have is to get the object from couchdb, check if id and rev matches. If it does match, merge the object with the missing attributes. It will work pretty well and I can support deleting attributes too.
Then using this technique, I could add my objects to a cache that will reduce the time to query frequent objects from the database. If the object can be updated, then clear the cache for that id. If the object is newer, then I'll have to handle the error or merge the object.
Is there any better "good way" to handle this problem?
edit
After thinking about it during the night, I think I found a much much better solution. Instead of having my username and password inside my profile. I'll separate the identification object from the use profile.
In other words, I'll have to split up the object as much as possible to keep things isolated... On the plus side, I can add multiple authentication for one profile without messing with the profile itself. I can return profiles and anything necessary without returning any secret object.
It will complicate a bit the logic of insertion but it should be quite easy...
Get 1 id from couchdb using the uuid api "_uuids"
Insert password authentications (username, password, profile_id) using that uuid
If succeed, insert profile using the uuid that we got at 1
If anything wrong happen, rollback and tell the users what's wrong.
Also the nice thing about this method is that I can add access_token for oauth2 using the profile id and the logic will be almost the same as password, the auth type will differ but any auth type should work almost the same.
Yeah, extracting the secret stuff from the profile documents sounds like the way to go.

Session.CFID / CFTOKEN VS Client.CFID / CFTOKEN

Our apps are using client variables management for unique identify a website visitor and eventually store it as the ID of an e-commerce order, for example.
Our customer orders table saves strings like "10000032:98517605:77134665" (cfid+cftoken) as its unique ID.
Now we need to get rid of client variables, so no more "CLIENT.cfid" in our code.
First thing that comes up to my mind is to simply replace that with "SESSION.cfid" and "SESSION.cftoken". But the big doubt is:
Will the generated id and token still be univoque against the existing ones?
Is it possible that making such a change will result in having "10000032:98517605:77134665" re-generated?
How can I make unique visitor ids, considering existing ones too?
I would set a new session value onSessionStart that you can guarantee would be unique. So in the onSessionStart method of Application.cfc, you can set something like:
<cfset Session.CustomerID = CreateUUID() />
With that, when the session begins, a UUID (guaranteed to be unique) will be put into the session scope. You can then use that for whatever you need. If this needs to be persistent, you could write it out to a cookie as well (since sessions don't persist long term like Client variables do).

Using Isset with native sessions in CodeIgniter

I've read about how CI handles sessions differently than native sessions and feel slightly insecure about storing all the data in a cookie(?), unlike PHP's native session which only stores the session ID(?). So I've decided to use native sessions without the CI native_session library.
Now, I know that the Input Class in CI validates Isset with a true/false statement like this:
if ($this->input->post('something'))
which renders the Isset function unable to work (it gives an error). However, I'd like to check my native sessions with the Isset function, so how can I do this? I've tried
if (isset($_SESSION['keyHere']))
which gives me an error.
So to sum up: I want to use Isset on my session array as I feel using
if ($_SESSION['keyHere'])
without the Isset might be 'dangerous/foolish'.
Also, as a last question I'm curious about which session handling you think is safest? CI's Session Class or PHP's native handling with server-side storage etc.? I'd very much like to feel as safe as possible when it comes to sessions, no matter if it means I'll have to write longer code.
Ok so, lets talk about the problem that you're having with isset!
i agree to all answers behind, the empty function its an good try, using array_key_exists too, but isset have your own place on php language.
At first you didn't post the error taht you're getting, bu as #GolezTrol saidyou're probally having trouble with session_start().
You need to put it on the top of the page, before any scripts. I would put this code before all scripts, and the best place to put it its inside the config/config.php page, at the start of it, or maybe on the root index.php
Using it, you will starting the session on all pages of your system.
Well, about your second question.
I think the session native of PHP its really secure, but the session of Codeigniter it's really nice too.
Codeigniter has some problems with the security, when we talk about cookies, if we are handling with important data of system, its hard to work with it, especially if someone else could edit it, thinking about all of it that i describe above, i could say that Codeigniter has a good seession library, even if we are working with important data.
If you don't believe on the security of cookie, just put on database, and you will have any trouble with it. The good thing its the ability and the facility to work with this class on everyplace of the system!
Actually i'm using the way of database, and i suggest it.
I would use array_key_exists instead of isset. isset also checks if the value is not null, so an array with an existing key but a value of null will still return false. You know it is an array and you want to check if a key exists, so it makes the most sense to use array_key_exists.
But that's not the problem. :D
I think you need to call session_start() first.
PHP's native session handling performs just fine as long as you are on a single webserver.
$data=$this->session->userdata("session variable");
if($data)
{
// do something
}
use this in your CI code files. it works for me all the time !
$logindata = $this->session->userdata('username');
if ($logindata !== FALSE)
{
//it exists
}
might help!
I've always used php function empty(); though it works differently if you don't know what you are doing.
If it's an empty array, it will
return FALSE
If it's NULL, it will return FALSE
I personally had little problems with the new session class in CI 2.0.2. Create a table called "sessions" and store the sessions in the database, using sess_use_database to true. Also set sess_encrypt_cookies to true, and lastly, if you want sessions to match with user IPs, use sess_match_ip. Oh, and make sure to set encryption key, which will make it even more secure.
PHP sessions are nice, but I personally like CI sessions better because it gives more flexibility. Especially when you are running multiple web heads with load balancer.
Hope that helps!
Why not use the built in CodeIgniter Session Class? it will provide the same functionality as the input class in regards to not forcing you to use isset().
It allows for encrypted sessions and uses it's own session implementation.
$this->session->userdata("keyHere"); // returns false if not set
You really should use the codeigniter session class. You can make it store the session data in the db so the cookie holds just a unique identifier. You can also set that cookie to be encrypted with the codeigniter security key.
Then, when you access session information, it acts like the normal input methods and so you can just do if($this->session->userdata('name')) rather than using isset or empty or whatever.

Resources