Does rails have any builtin functionality similar to that of ASP.Net''s encryptable ViewState? For those that don''t know what the ASP.Net viewstate is, it is essentially just a hidden form field with the name __VIEWSTATE, that stores a series of encoded(or encrypted) key/value pairs as it''s value. When the form is submitted the viewstate value is decoded/decrypted on the server, and made available as the key/value pairs stored within. If this functionality does not already exist, is there any way for me to implement such that it is available in all of my controller classes by default, or do I need to develope my own class that inherits ApplicationController, and have all of my controller classes inherit from that? Thanks, Steve
On Apr 4, 2005 12:43 PM, Steve V <ruby-ChEX1j9zMF7JbC0vcoRRxNBPR1lH4CV8@public.gmane.org> wrote:> Does rails have any builtin functionality similar to that of ASP.Net''s > encryptable ViewState? For those that don''t know what the ASP.Net viewstate > is, it is essentially just a hidden form field with the name __VIEWSTATE, > that stores a series of encoded(or encrypted) key/value pairs as it''s value. > When the form is submitted the viewstate value is decoded/decrypted on the > server, and made available as the key/value pairs stored within. > > If this functionality does not already exist, is there any way for me to > implement such that it is available in all of my controller classes by > default, or do I need to develope my own class that inherits > ApplicationController, and have all of my controller classes inherit from > that?I think anyone not coming from ASP.Net will be confused as to what the Viewstate is. Yes, it is basically an encrypted string of key/value pairs, but it provides a way for ASP.Net to keep server control state between requests. This can be as simple as saving on/off states of a control''s visibility to caching the data of a datagrid (which results in a huge viewstate). I don''t really see how rails would even use the viewstate. It has no server controls and does not even try to fake a stateful application. My only suggestion is to build a viewstate implementation into your app. If it would be useful for others, extract it out to a gem so anyone can drop it in their own apps. One of the things about rails is, there isn''t necessarily a core group of developers just adding features on a whim. If something comes up and a feature is needed, it''s written. If it''s something that could be useful to the general rails community, it''s extracted out into a rubygem or patched into rails. -- rick http://techno-weenie.net
I feel obliged to mention more about how the server uses the viewstate. The form action is overwritten during rendering, so that it''s impossible to post a form to another location without some fairly serious hacking. So now every form action is a post, which includes the encoded viewstate value. This makes the viewstate a bandwidth hog unless some server-side mechanism is used to store viewstate. Every server-side control used on the page automatically retrieves it''s values from the posted viewstate during initialization. Personally, I despise the forced postback. ASP.NET 2.0 is supposed to be better - we''ll see. If you want to go that route, please make the postback flexible and unobtrusive. Kevin P.S. There''s a PHP framework that seems to be a copy of the ASP.NET model, but I haven''t really looked at it. http://www.xisc.com/ Rick Olson wrote:> On Apr 4, 2005 12:43 PM, Steve V <ruby-ChEX1j9zMF7JbC0vcoRRxNBPR1lH4CV8@public.gmane.org> wrote: > >>Does rails have any builtin functionality similar to that of ASP.Net''s >>encryptable ViewState? For those that don''t know what the ASP.Net viewstate >>is, it is essentially just a hidden form field with the name __VIEWSTATE, >>that stores a series of encoded(or encrypted) key/value pairs as it''s value. >>When the form is submitted the viewstate value is decoded/decrypted on the >>server, and made available as the key/value pairs stored within. >> >>If this functionality does not already exist, is there any way for me to >>implement such that it is available in all of my controller classes by >>default, or do I need to develope my own class that inherits >>ApplicationController, and have all of my controller classes inherit from >>that? > > > I think anyone not coming from ASP.Net will be confused as to what the > Viewstate is. Yes, it is basically an encrypted string of key/value > pairs, but it provides a way for ASP.Net to keep server control state > between requests. This can be as simple as saving on/off states of a > control''s visibility to caching the data of a datagrid (which results > in a huge viewstate). > > I don''t really see how rails would even use the viewstate. It has no > server controls and does not even try to fake a stateful application. > My only suggestion is to build a viewstate implementation into your > app. If it would be useful for others, extract it out to a gem so > anyone can drop it in their own apps. > > One of the things about rails is, there isn''t necessarily a core group > of developers just adding features on a whim. If something comes up > and a feature is needed, it''s written. If it''s something that could > be useful to the general rails community, it''s extracted out into a > rubygem or patched into rails. >---------- Scanned for viruses by ClamAV
> I feel obliged to mention more about how the server uses the viewstate. > The form action is overwritten during rendering, so that it''s impossible > to post a form to another location without some fairly serious hacking. > So now every form action is a post, which includes the encoded viewstate > value. This makes the viewstate a bandwidth hog unless some server-side > mechanism is used to store viewstate. Every server-side control used on > the page automatically retrieves it''s values from the posted viewstate > during initialization. > > Personally, I despise the forced postback. ASP.NET 2.0 is supposed to be > better - we''ll see. If you want to go that route, please make the > postback flexible and unobtrusive.I didn''t mean to imply that I was looking for Rails to use viewstate in the fashion that ASP.Net does. I''m not looking for Rails to try and mimic a stateful application at all. I am more-so interested in the ability of the viewstate to carry some information in an encrypted fashion between requests. Viewstate is just a glorified(but sometimes useful) hidden form field. My desire for this came up from what seems to be a flaw in the way that lock_version works. This seemed like a pretty nice builtin way to manage concurrency. The problem is though that there''s no way to be sure of what lock_version a user started with. After the post to the server, the server gets an instance of the record to be edited, and then updates the record information. It''s unlikely(but possible), that the lock version would change in that small amount of time. The more likely place for there to be a concurrency issue is when the user first receives the data they wish to edit. If they take 15 minutes to make their changes and then submit, there is a whole lot more time for someone else to update the record they''re working on, before they submit it back to the server to save. If the lock_version value is in a clear-text hidden form field, a malicious user could potentially alter the lock_version on their machine and submit their changes, thus bypassing a previous change. I''m not sure that this is relevant though since I cannot immediately come up with a malicious use for this, but in the back of my head it seems like there could be. As a side note. Why is the lock_version displayed as an editable field on the default rails new/edit templates? Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Steve V wrote: | I didn''t mean to imply that I was looking for Rails to use viewstate in the | fashion that ASP.Net does. I''m not looking for Rails to try and mimic a | stateful application at all. | | I am more-so interested in the ability of the viewstate to carry some | information in an encrypted fashion between requests. Viewstate is just a | glorified(but sometimes useful) hidden form field. Why won''t session data fill this role? - -- David Morton Maia Mailguard server side anti-spam/anti-virus solution: http://www.maiamailguard.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCUaU+SIxC85HZHLMRAnoEAJ9IjpqtPJbA3FjPfeYwXi5+/DlFGgCeOv3y NroKRIuTkI4sA0JJlr6UD6Q=Jrub -----END PGP SIGNATURE-----
AFAIK, this "encrypted viewstate" is just the Session object serialized (and, maybe, using some 2-way encrypt) , right? If so, its easy to implement this on Rails, though =) regards, juca On Apr 4, 2005 5:36 PM, David Morton <mortonda-0/IDydmJJnNeoWH0uzbU5w@public.gmane.org> wrote:> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Steve V wrote: > > | I didn''t mean to imply that I was looking for Rails to use viewstate > in the > | fashion that ASP.Net <http://ASP.Net> does. I''m not looking for Rails to > try and mimic a > | stateful application at all. > | > | I am more-so interested in the ability of the viewstate to carry some > | information in an encrypted fashion between requests. Viewstate is just > a > | glorified(but sometimes useful) hidden form field. > > Why won''t session data fill this role? > > - -- > David Morton > Maia Mailguard server side anti-spam/anti-virus solution: > http://www.maiamailguard.com > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFCUaU+SIxC85HZHLMRAnoEAJ9IjpqtPJbA3FjPfeYwXi5+/DlFGgCeOv3y > NroKRIuTkI4sA0JJlr6UD6Q> =Jrub > -----END PGP SIGNATURE----- > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- juraci krohling costa http://jkcosta.info _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
>AFAIK, this "encrypted viewstate" is just the Session object serialized(and, maybe, using some 2-way encrypt) , right?>If so, its easy to implement this on Rails, though =)<snip>>Why won''t session data fill this role?Close. It is a 2-way encrypted string, and it is serialized, but it is not a Session object. It is specific to the current request. As for why a session won''t work. The target application will be spread over multiple servers, and I don''t want to have to tie a request to one specific server. Plus the issue at hand at least with lock_version is really a request specific issue, and not session specific, which means trying to work with lock_version through session brings up other management issues to make sure the proper lock_version is always being used. I don''t think it would be difficult in any way to implement. I''m new to both Ruby and Rails, so I have no idea where to find the encryption bits, but once I have that I think it will be pretty trivial to implement. Does Ruby have any builtin encryption libraries(I didn''t see anything in the reference or on RubyForge)? The solution will need to be able to be cross-platform(*BSD, Linux, and Win32). Any pointers or suggestions as to where I can find existing encryption libraries(or is it just recommended to use OpenSSL)? Steve
There was a brief discussion about encryption a few days ago: http://rubyurl.com/CrR2x On Apr 4, 2005 4:12 PM, Steve V <ruby-ChEX1j9zMF7JbC0vcoRRxNBPR1lH4CV8@public.gmane.org> wrote:> > >AFAIK, this "encrypted viewstate" is just the Session object serialized > (and, maybe, using some 2-way encrypt) , right? > >If so, its easy to implement this on Rails, though =) > > <snip> > > >Why won''t session data fill this role? > > Close. It is a 2-way encrypted string, and it is serialized, but it is not a > Session object. It is specific to the current request. > > As for why a session won''t work. The target application will be spread over > multiple servers, and I don''t want to have to tie a request to one specific > server. Plus the issue at hand at least with lock_version is really a > request specific issue, and not session specific, which means trying to work > with lock_version through session brings up other management issues to make > sure the proper lock_version is always being used. > > I don''t think it would be difficult in any way to implement. I''m new to both > Ruby and Rails, so I have no idea where to find the encryption bits, but > once I have that I think it will be pretty trivial to implement. Does Ruby > have any builtin encryption libraries(I didn''t see anything in the reference > or on RubyForge)? The solution will need to be able to be > cross-platform(*BSD, Linux, and Win32). Any pointers or suggestions as to > where I can find existing encryption libraries(or is it just recommended to > use OpenSSL)? > > Steve > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
I don''t know, but I would assume it''s because session may not be available depending on server configuration. David Morton wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Steve V wrote: > > | I didn''t mean to imply that I was looking for Rails to use viewstate > in the > | fashion that ASP.Net does. I''m not looking for Rails to try and mimic a > | stateful application at all. > | > | I am more-so interested in the ability of the viewstate to carry some > | information in an encrypted fashion between requests. Viewstate is just a > | glorified(but sometimes useful) hidden form field. > > Why won''t session data fill this role? > > - -- > David Morton > Maia Mailguard server side anti-spam/anti-virus solution: > http://www.maiamailguard.com > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFCUaU+SIxC85HZHLMRAnoEAJ9IjpqtPJbA3FjPfeYwXi5+/DlFGgCeOv3y > NroKRIuTkI4sA0JJlr6UD6Q> =Jrub > -----END PGP SIGNATURE----- > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails---------- Scanned for viruses by ClamAV
No, it''s different from session. It''s leveraged by the server-side controls. Juraci Krohling Costa wrote:> AFAIK, this "encrypted viewstate" is just the Session object serialized > (and, maybe, using some 2-way encrypt) , right? > If so, its easy to implement this on Rails, though =) > > regards, > juca > > > On Apr 4, 2005 5:36 PM, *David Morton* <mortonda-0/IDydmJJnNeoWH0uzbU5w@public.gmane.org > <mailto:mortonda-0/IDydmJJnNeoWH0uzbU5w@public.gmane.org>> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Steve V wrote: > > | I didn''t mean to imply that I was looking for Rails to use viewstate > in the > | fashion that ASP.Net <http://ASP.Net> does. I''m not looking for > Rails to try and mimic a > | stateful application at all. > | > | I am more-so interested in the ability of the viewstate to carry some > | information in an encrypted fashion between requests. Viewstate is > just a > | glorified(but sometimes useful) hidden form field. > > Why won''t session data fill this role? > > - -- > David Morton > Maia Mailguard server side anti-spam/anti-virus solution: > http://www.maiamailguard.com > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFCUaU+SIxC85HZHLMRAnoEAJ9IjpqtPJbA3FjPfeYwXi5+/DlFGgCeOv3y > NroKRIuTkI4sA0JJlr6UD6Q> =Jrub > -----END PGP SIGNATURE----- > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org <mailto:Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org> > http://lists.rubyonrails.org/mailman/listinfo/rails > > > > > -- > juraci krohling costa > http://jkcosta.info > > > ------------------------------------------------------------------------ > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails---------- Scanned for viruses by ClamAV
The ViewState is logically a separate collection. Its implemented as a hidden field containing Base64 data. Its automatically used by WebForm controls and you can explicitly put text in it. I''ve also serialized objects to base64 encoded strings and tucked them in there as an alternative to Session. Encryption is configurable, you can at least explicitly control the key and probably turn it off - you''d need to do one of these things if you were running in a web farm because by default the key is machine specific. The thing I like about ViewState as opposed to session is that the ViewState is always in synch with the user''s state. If the user clicks back, the ViewState (of course) reflects their previous state, so every time they submit it "makes sense" to the server application. Many naive programmers however make incredibly flawed applications by relying on the WebForms controls and ViewState to manage everything. I''ve seen apps with 1 meg postbacks for every screen of a wizard - every click on a grid. Kevin Williams wrote:> No, it''s different from session. It''s leveraged by the server-side > controls. > > Juraci Krohling Costa wrote: > >> AFAIK, this "encrypted viewstate" is just the Session object >> serialized (and, maybe, using some 2-way encrypt) , right? >> If so, its easy to implement this on Rails, though =) >> >> regards, >> juca >> >> >> On Apr 4, 2005 5:36 PM, *David Morton* <mortonda-0/IDydmJJnNeoWH0uzbU5w@public.gmane.org >> <mailto:mortonda-0/IDydmJJnNeoWH0uzbU5w@public.gmane.org>> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Steve V wrote: >> >> | I didn''t mean to imply that I was looking for Rails to use >> viewstate >> in the >> | fashion that ASP.Net <http://ASP.Net> does. I''m not looking for >> Rails to try and mimic a >> | stateful application at all. >> | >> | I am more-so interested in the ability of the viewstate to >> carry some >> | information in an encrypted fashion between requests. Viewstate is >> just a >> | glorified(but sometimes useful) hidden form field. >> >> Why won''t session data fill this role? >> >> - -- >> David Morton >> Maia Mailguard server side anti-spam/anti-virus solution: >> http://www.maiamailguard.com >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.2.5 (GNU/Linux) >> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org >> >> iD8DBQFCUaU+SIxC85HZHLMRAnoEAJ9IjpqtPJbA3FjPfeYwXi5+/DlFGgCeOv3y >> NroKRIuTkI4sA0JJlr6UD6Q>> =Jrub >> -----END PGP SIGNATURE----- >> _______________________________________________ >> Rails mailing list >> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org <mailto:Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org> >> http://lists.rubyonrails.org/mailman/listinfo/rails >> >> >> >> >> -- >> juraci krohling costa >> http://jkcosta.info >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Rails mailing list >> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org >> http://lists.rubyonrails.org/mailman/listinfo/rails > > > ---------- > Scanned for viruses by ClamAV > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails > >