1

I am using redirectTo() function with params to redirect to another pages with a query string in the url. For security purpose this does not look appealing because the user can change the parameters in the url, thus altering what is inserted into the database.

My code is:

redirectTo(action="checklist", params="r=#r#&i=#insp#&d=#d#");

Is there anyway around this? I am not using a forms, I just wish to redirect and I want the destination action/Controller to know what I am passing but not display it in the url.

Saad A
  • 1,135
  • 2
  • 21
  • 46
  • 1
    You could make them session variables but that presents another set of problems. I'd be tempted to create a form with hidden fields and then post it with javascript. – Dan Bracuk Dec 02 '15 at 20:04
  • Have you tried tinking with using Flash? (note: NOT adobe flash). Explanation on CFWheels docs: http://docs.cfwheels.org/docs/using-the-flash – beloitdavisja Dec 02 '15 at 21:09
  • 2
    Upon further review, once you've done your database stuff, redirect again to a page that doesn't talk to your database. – Dan Bracuk Dec 02 '15 at 23:42
  • @DanBracuk I like your 2nd suggestion. You should post that as an answer, and I will upvote the s*** out of it. – Chris Peters Dec 04 '15 at 16:21

2 Answers2

2

You can obfuscate the variables in the URL. CfWheels makes this really easy.

All you have to do is call set(obfuscateURLs=true) in the config/settings.cfm file to turn on URL obfuscation.

I am sure this works with linkTo() function. I hope it works with RedirectTo() funcation as well. I do not have a set up to check it now. But if doesn't work for RedirectTo(), you can obfuscateParam() and deObfuscateParam() functions to do job for you.

Caution: This will only make harder for user to guess the value. It doesn't encrypt value.

To know more about this, Please read the document configuration and defaults and obfuscating url

Tushar Bhaware
  • 2,525
  • 1
  • 16
  • 29
0

A much better approach to this particular situation is to write params to the [flash].1 The flash is exactly the same thing as it is in Ruby on Rails or the ViewBag in ASP.Net. It stores the data in a session or cookie variable and is deleted at the end of the next page's load. This prevents you from posting back long query strings like someone that has been coding for less than a year. ObfuscateParam only works with numbers and is incredibly insecure. Any power user can easily deobfuscate, even more so with someone that actually makes a living stealing data.

Brandon Osborne
  • 835
  • 1
  • 12
  • 26