Note, user_signature=True is a special case of digitally signed URLs. The generic way to digitally sign a URL is:
URL(..., hmac_key=KEY) # create URL URL.verify(request, hmac_key=KEY) # verify signature in subsequent request for the URL That doesn't require user login, but if you use a single fixed hmac_key, the signatures will not be unique to each user (to limit the signature to a single user, you'll need to create a unique hmac_key, or optionally a unique salt, for each user and store it in the session). When you do URL(..., user_signature=True), it will automatically create a signature using session.auth.hmac_key, which is unique to each user, but requires login (given that the hmac_key is part of the auth object). Anthony On Friday, May 24, 2013 8:40:23 AM UTC-4, weheh wrote: > > I've become an ajax junkie. (To be honest, I've been one for awhile, now.) > Only now, since there a lot of hacking attempts on my site, I'm going back > and adding digital signatures to my ajax calls -- I thought this would > bring me some peace of mind. But, it looks like my calls are failing if the > user isn't logged in. I suspect I'm interpreting _signature=True and > @auth.requires_signature() incorrectly. They don't seem to work in the > situation where the user isn't logged in. Am I right about that, or am I > missing something? -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
