[albatross-users] sessions vars question
Andrew McNamara
andrewm at object-craft.com.au
Mon Mar 14 10:27:07 EST 2005
> for example I have session variable 'name'
> I create local contex variable ctx.locals.name = 'username'
> Add it to session ctx.add_session_vars('name').
[...]
> And actually this works. BUT if I add to browser request string
>something like
> http://host/mypage?name='qqqqqqq'
>
> I have in my code that user name not 'username' any more, but
>'qqqqqqq'.
Gabriel has given you the correct answer, but to explain the motivation -
the session variables are sourced from both the URL and the posted form
inputs to allow navigation within apps to use URL's.
It certainly makes some types of application much easier, but for other
types of application, it's too dangerous. The leading underscore prevents
that specific variable accepting it's value from a form submission.
With the benefit of hindsight, I now feel that this merging of context
with form submissions is too powerful to be safe. Done again, I think
I would provide separate form "workspace" and "application context"
namespaces.
--
Andrew McNamara, Senior Developer, Object Craft
http://www.object-craft.com.au/
More information about the Albatross-users
mailing list