On 25/05/2006, at 3:11 AM, Bill de hÓra wrote:
> > tomass wrote: >> > > I actually like that solution (among other things it scales on a > cluster > without hammering a central db or having to distribute sessions). > But if > you want you could store data on the server and pass a form 'session' > token as one hidden field across the pages. > > For really detailed forms I'd tend to use a URL as the hidden field > and > hold all the data captured there. If the user can go away later and > re-continue where you don't just time them out on the session (ie > like a > grants application form) create a model for the form data and > associate > it with the user. if you do plan on using hidden fields on a form/URL PLEASE PLEASE PLEASE make sure you encrypt them or at least generate a md5 checksum (adding your secret key into the key generation ) on them. see http://svn.zilbo.com/svn/django/magic-removal/common/utils/ templatetags/media.py for some examples of this: explicitly: objref md5_secret It is too easy for people to subvert hidden fields to do nasty things. personally I would just use django's sessions application in your code.. add request.session['mystuff'] = { 'a': value1, 'b': value2, etc etc } and mystuff = request.session['mystuff'] (which generates a cookie) or if storing them in a mysql DB is too slow (which is doubtful) .. use memcached or ldap instead. > > cheers > Bill > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users -~----------~----~----~----~------~----~------~--~---
