Perhaps we could allow URL(..., user_signature=True) even without login by having it add session.hmac_key if it doesn't already exist.
Anthony On Friday, May 24, 2013 9:00:14 AM UTC-4, Anthony wrote: > > Note, user_signature=True is a special case of digitally signed URLs. The > generic way to digitally sign a URL is: > > URL(..., hmac_key=KEY) # create URL > > URL.verify(request, hmac_key=KEY) # verify signature in subsequent > request for the URL > > That doesn't require user login, but if you use a single fixed hmac_key, > the signatures will not be unique to each user (to limit the signature to a > single user, you'll need to create a unique hmac_key, or optionally a > unique salt, for each user and store it in the session). > > When you do URL(..., user_signature=True), it will automatically create a > signature using session.auth.hmac_key, which is unique to each user, but > requires login (given that the hmac_key is part of the auth object). > > Anthony > > On Friday, May 24, 2013 8:40:23 AM UTC-4, weheh wrote: >> >> I've become an ajax junkie. (To be honest, I've been one for awhile, >> now.) Only now, since there a lot of hacking attempts on my site, I'm going >> back and adding digital signatures to my ajax calls -- I thought this would >> bring me some peace of mind. But, it looks like my calls are failing if the >> user isn't logged in. I suspect I'm interpreting _signature=True and >> @auth.requires_signature() incorrectly. They don't seem to work in the >> situation where the user isn't logged in. Am I right about that, or am I >> missing something? > > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
