Massimo,
Thanks for your reply.
It is not clear to me what you are storing in session.
I have a table 'node' and tables which reference this table by 'nodeID'.
Nodes have accounts, depending on the kind of account their web site has
menu items linking to web pages. All these pages extend a layout view which
contains the elements all pages have in common, I store these elements in
session[id] to prevent the application from querying the database for the
same records on every request. For example the styling is stored like this:
theme=db((db.nodeTheme.nodeID==id)&(db.nodeTheme.themeID==db.theme.id)).select(db.theme.ALL).first()
session[id].container=theme.container
session[id].navbarfixedtop=theme.navbarFixedTop
session[id].theme=theme
session[id] is instantiated in the router function and the elements are
stored in it in the index function of the web site.
The index function first checks:
if not session[int(request.args(0))].accountID
in(ADVANCEDACCOUNTID,PREMIUMACCOUNTID):
redirect(URL('addressbook','router',args=request.args(0)))
and then, based on a 'nav' table sets access to the other functions to True
or False. Then every function checks:
if not session[int(request.args(0))]:
redirect(URL('addressbook','router',args=request.args(0)))
elif not session[int(request.args(0))].openingHours:
redirect(URL('addressbook','router',args=request.args(0)))
else:
execute function
This:
>
> id=int(request.args(0))
>
> account=db(db.nodeAccount.nodeID==id).select(db.nodeAccount.ALL).first()
> ...
> session[id]
>
> looks like a security vulnerability to me. Every user can access any
> record of the table and add to the current session.
> Web2py does not sets a limitation but the session can get arbitrarily
> bigger and therefore slower.
>
That's what I thought, therefore I wondered whether I could store all this
in html snippets which the layout view then includes. By including all the
conditions I'd hoped to decrease the security vulnerability.
Kind regards,
Annet.
--
