[Seaside] how to make bookmarkable urls?

Avi Bryant avi.bryant at gmail.com
Fri Nov 25 10:26:56 CET 2005 

On Nov 25, 2005, at 1:05 AM, Todd Blanchard wrote:

> I'm building a seaside app that has some urls that I want to be  
> bookmarkable.  I have a couple questions about how to do this right.
>
> 1) If I give someone a url with session keys in it, and they use it  
> quickly, can they steal my session?

Yes.

> How might I prevent this?

You can turn on the (very recently [re-]added and untested) option to  
store session keys in cookies.  Or you could add some code to, say,  
remember the IP a session was started from and check to make sure  
it's the same IP asking for it again later.

> 2) I can generate urls that make sense to my app in a stateless way  
> by doing something like:
>
> (html anchor url: (self session application basePath,  
> myCleverPathAddition)) with: [html text: 'Bookmark me']
>
> but of course, clicking this will create a new session because the  
> session keys are not in the url.  So how do I add the session key?

So, the "normal" way to add stuff to the URL is to override  
WAComponent>>updateUrl: and use the WAUrl protocol to modify the path  
and parameters to reflect the current page state.  The reason this  
works is that (by default) there's a redirect before every request,  
and so you don't have to worry about adding the permalink stuff in  
when generating the link, you can wait until someone clicks it and  
then stick it in before the redirect.

This has at least two problems:
- it requires that redirect, which can be kinda annoying (you can  
now, in theory, distinguish between navigational and side-effecting  
links in Seaside, and have it only redirect for the latter, but that  
feature doesn't seem to be usable yet - given that nobody uses it).
- if a savvy web user right clicks on the link to save the URL  
without actually following it, it won't be right (it'll probably have  
the permalink info from the page they're viewing, not the page it  
leads to)

So probably what you want to do is extend WAAnchorTag to allow you to  
modify the URL before it gets stuck in as the href attribute... the  
API could maybe look like:

html anchor
           updateUrl: [:u | u addToPath: myCleverPathAddition];
           callback: [self doStuff];
           text: 'Bookmark me'

Seem reasonable?

> 3) I'm figuring out how to set up the ui state in initialRequest:  
> based on the url - so this is good.  But where is the good place to  
> arrange for bogus session keys to silently produce a new session  
> rather than warn of an expired one?

Actually I already made that change in the latest versions, it was  
annoying me too.  But the answer is, in  
WARegistry>>handleExpiredRequest:.

Avi

More information about the Seaside mailing list