SitePoint Sponsor

User Tag List

Results 1 to 17 of 17
  1. #1
    Non-Member
    Join Date
    Jul 2005
    Posts
    606
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    extra query string params in rails

    say i wanted to pass more than an id, i.e. account/some_username/some_password/ in the query string...i would have to set up a new route no? otherwise it comes back with routing error...how come this is the case? i would of thought it would just pass extra elements to the params object by default?

  2. #2
    SitePoint Enthusiast Stevenwulf's Avatar
    Join Date
    May 2002
    Location
    Berkeley
    Posts
    76
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Bob,

    Yes, you will have to setup a new route.

    BTW, you probalby shouldn't pass the username or password around in the url.

    The reason you need to set up a new route, is so rails can determine where in the parameter hash to place your extra argument. The route that gets used will determine this. In your case you might have something like:

    Code:
       map.connect 'account/:username/:password',
         :controller => 'account',
         :action => 'some_action'
    When this route matches, rails knows to put the url item in the third position into params["password"]


    Here is a more in depth explanation:

    http://rails.outertrack.com/class/Ac...ing%3A%3ARoute

  3. #3
    Non-Member
    Join Date
    Jul 2005
    Posts
    606
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    cheers. i know its not good to pass sensitive information in the qs - but unfortunately my app has a weird requirement and this seems to be the most efficient solution - only the encrypted password will be passed to the app, not the raw form

  4. #4
    SitePoint Guru silver trophy Luke Redpath's Avatar
    Join Date
    Mar 2003
    Location
    London
    Posts
    794
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    FWIW, if you want to send extra params via GET, you can simply send them using the normal querystring format:

    Code:
    link_to :controller => 'mycontroller', :action => 'myaction', :foo => 'bar'
    
    # becomes:
    # /mycontroller/action/?foo=bar
    No need for extra routes that way.

  5. #5
    Non-Member
    Join Date
    Jul 2005
    Posts
    606
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ta luke, i thought there would be something along those lines

  6. #6
    ☆★☆★ silver trophy vgarcia's Avatar
    Join Date
    Jan 2002
    Location
    in transition
    Posts
    21,236
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    Why are you putting a password into the URL?

  7. #7
    Non-Member
    Join Date
    Jul 2005
    Posts
    606
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    lol.. im only putting the encrypted password into a url, which is never seen by the user anyway. obviously if someone was sniffing they could find out the encrypted password, then hack the encryption - but at the end of the day if someone is willing to go to that much trouble to hack a site they can just sniff the normal site data anyway as its not https :P the reason? my rails app is using user data from a php forum, when they login i want it to login to the php forum, then the rails app. best way i thought of was to send the login form to the php forum, and then hijack that code to redirect to the rails app if the login was succesful (with the username and encrypted password in the query string to perform a second check ruby side)

  8. #8
    SitePoint Guru silver trophy Luke Redpath's Avatar
    Join Date
    Mar 2003
    Location
    London
    Posts
    794
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    my rails app is using user data from a php forum, when they login i want it to login to the php forum, then the rails app. best way i thought of was to send the login form to the php forum, and then hijack that code to redirect to the rails app if the login was succesful
    There must be a better way. Perhaps in your controller you could open up a new HTTP request using ruby's net/http library and send of a POST to the PHP login script using the supplied username/password (which comes from your Rails up from a form POST).

  9. #9
    Non-Member
    Join Date
    Jul 2005
    Posts
    606
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've explored most if not all avenues Luke - the problem with the http request is the php forum builds its session data based on a hash which is generated from the ip - if you send an http request the ip received will be that of the server rather than the user, messing up the sessions - with the method you suggest I very nearly had it working, the user was logged in but the hash would not validate when the user subsequently views the forum in their browser hence appearing logged out.

  10. #10
    SitePoint Guru silver trophy Luke Redpath's Avatar
    Join Date
    Mar 2003
    Location
    London
    Posts
    794
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Which forum are you using? Perhaps you could make a small tweak to the forum source so it generates its hash from an IP address passed as a POST parameter, then you can send the end users IP along with the http request in the controller.

  11. #11
    Non-Member
    Join Date
    Jul 2005
    Posts
    606
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Vbulletin - yeh it's a possibility. But I checked it out and the code that handles that looked quite convoluted and cropped up in numerous different places and it's the sort of thing where you are bound to end up screwing the login for the actual forum it's self. I'm willing to take this security compromise to minimise the amount of hacking that is needed.

  12. #12
    eschew sesquipedalians silver trophy sweatje's Avatar
    Join Date
    Jun 2003
    Location
    Iowa, USA
    Posts
    3,749
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Seems like maybe you would have better luck "hijacking" the PHP session yourself. You should be able to know the PHP session ID, and since you are running as the sever, even when running Ruby, you should be able to access the file. Parsing the serialized data structure of the session file sounds like it might be less work than what you are contemplating.
    Jason Sweat ZCE - jsweat_php@yahoo.com
    Book: PHP Patterns
    Good Stuff: SimpleTest PHPUnit FireFox ADOdb YUI
    Detestable (adjective): software that isn't testable.

  13. #13
    Non-Member
    Join Date
    Jul 2005
    Posts
    606
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The PHP sessions are stored in the database, do you think that makes it any easier? I must admit I don't quite follow your logic - are you suggest letting the php forum handle the login and just check for the php session instead of a rails session?

  14. #14
    eschew sesquipedalians silver trophy sweatje's Avatar
    Join Date
    Jun 2003
    Location
    Iowa, USA
    Posts
    3,749
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Bob Carologees
    The PHP sessions are stored in the database, do you think that makes it any easier? I must admit I don't quite follow your logic - are you suggest letting the php forum handle the login and just check for the php session instead of a rails session?
    Yes, seems like that might be an easier way to handle it. Just find some token inside the PHP sesssion which indicates a) who it is and b) they are logged in, and then just assume you are good with that user in Rails. One other trick is you would have to propogate the PHP session ID in your Rails app also though.
    Jason Sweat ZCE - jsweat_php@yahoo.com
    Book: PHP Patterns
    Good Stuff: SimpleTest PHPUnit FireFox ADOdb YUI
    Detestable (adjective): software that isn't testable.

  15. #15
    Non-Member
    Join Date
    Jul 2005
    Posts
    606
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks - that is a neat solution, I'll definitely try that. In terms of propagating the session ID - I think it would be easier to just set a rails session when the app has determined the user is logged into the php forum - and when logging out this is unset in a similar manner. Obviously it gets more complicated when I worry about having remember me functionality...

  16. #16
    eschew sesquipedalians silver trophy sweatje's Avatar
    Join Date
    Jun 2003
    Location
    Iowa, USA
    Posts
    3,749
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I was actually more worried about what happens when the user tries to go back to the PHP side of your application and gets a new session...
    Jason Sweat ZCE - jsweat_php@yahoo.com
    Book: PHP Patterns
    Good Stuff: SimpleTest PHPUnit FireFox ADOdb YUI
    Detestable (adjective): software that isn't testable.

  17. #17
    Non-Member
    Join Date
    Jul 2005
    Posts
    606
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm good point, I guess the problem will arise if someone logs into the forum and then closes their browser, they'll be logged out of the forum but not the main site. I guess it might be a case of storing the php session id in the rails session and checking whether its still valid on every request :S but that sounds like a bit of an overload.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •