[Zope] URLs expose information which we'd like to hide
J Cameron Cooper
xdoclet at jcameroncooper.com
Fri Feb 6 16:54:50 EST 2004
Dennis Allison wrote:
>Dieter, can you elaborate on this a bit. Passing parameter with the
>URL (for example, http://foo.goo.com?p1=v1&p2=v2 ) seems to be locked
>in pretty deeply in the Zope paradigm. What would be your suggestion?
When submitting a form, it makes no difference to Zope the method you
use. In fact I almost always use POST, save when I want to see the
parameters for debugging purposes.
Only when you have a link that must provide parameters must you use URL
parameters. The cases where this is necessary are rare but do exist
(usually but not always for aesthetic purposes), and in this case,
there's no way to hide information in the link, though you can try
various key-based or hashing schemes: see the PasswordResetTool in the
Collective for such a technique.
"He who fights with monsters should look to it that he himself does not become a monster. And when you gaze long into an abyss the abyss also gazes into you."
More information about the Zope