ansaurus

Question

Passing Perl Data Structures as Serialized GET Strings to a Perl CGI program

Answer 1

+1 A:

Passing serialized encoded strings is a bad way to pass complex data structures to web applications.

If you are trying to pass state from page to page, you can use server side sessions which would only require you to pass around a session key.

If you need to email a link to someone, you can still create a server-side session with a reasonable expiry time (you'll also need to decide if additional authentication is necessary) and then send the session id in the link. You can/should expire the session immediately once the requested action is taken.

Sinan Ünür 2009-11-28 15:39:03

"this" would be "passing a data structure to a CGI application". You are right about using sessions being the right way of passing data from page to page. However, the situation I have is that I want to create a link (URL) and mail it to an email address. When the recipient of the mail clicks on the link, I want to have access to all data corresponding to that user to handle his request (unsubscribe from a mailing list for example)

Gurunandan 2009-11-28 15:54:38

Nothing! Other than the fact that I never thought you could do this :). Will definitely evaluate this - Thanks

Gurunandan 2009-11-28 16:31:19

@Gurunandan Bhat: FYI: I deleted my comment and put my suggestion in the answer itself.

Sinan Ünür 2009-11-28 16:35:11

@Gurunandan Bhat: Why would you have to create thousands of server side sessions?

Sinan Ünür 2009-11-28 16:38:22

Sorry - Might not work for what I want to do. On first thoughts, would have to create thousands of server-side sessions one for each recipient. Seems excessive on first thoughts. Or am I reading you incorrectly?

Gurunandan 2009-11-28 16:39:47

How else would I maintain separate data sctructures for each recipient?

Gurunandan 2009-11-28 16:42:28

@Gurunandan Bhat: Aren't these links created on demand? I am not getting the sneaking suspicion that you want to include these links in the footer of some commercial email you want to send. In that case, why don't use the email address as the key to look up the associated data in the database?

Sinan Ünür 2009-11-28 16:47:55

Footer- Yes. Commercial Email: No. The link leads to a Comment form in a Web Forum to Email gateway (not different from an internally hosted Yahoo Groups for example) where the recipient has a choice of replying to the email or clicking a link to enter his response can respond directly to the forum (which is further emailed..etc.). I cant expose the email address to prevent someone spoofing a response. Authentication is alas not an option

Gurunandan 2009-11-28 17:00:08

@Gurunandan Bhat: One way or another, the **right** solution will be to send a key to some table. It does not have to be an email address in plain sight but it needs to be a key to a database entry (and I don't see how sending a full encoded data structure is any safer).

Sinan Ünür 2009-11-28 17:22:52

Answer 2

+1 A:

Corey Porter 2009-11-28 16:21:07

Agreed that using Storable/Serializer are not portable across languages. Would be interested in hearing how you plan to solve your problem.

Gurunandan 2009-11-28 16:45:51

Answer 3

+1 A:

If you need to send URL's to your users that contains a few key datapoints and you want to ensure it can't be forged you can do this with a Digest (such as from Digest::SHA) and a shared secret. This lets you put the data out there in your messages without needing to keep a local database to track it all. My example doesn't include a time element, but that would be easy enough to add in if you want.

use Digest::SHA qw(sha1_base64);
my $base_url = 'http://example.com/thing.cgi';

my $email = '[email protected]';
my $msg_id = '123411';

my $secret = 'mysecret';
my $data = join(":", $email, $msg_id, $secret);
my $digest = sha1_base64($data);

my $url = $base_url . '?email=' . $email . '&msg_id=' . $msg_id' . '&sign=' . $digest;

Then send it along.

In your "thing.cgi" script you just need to extract the parameters and see if the digest submitted in the script matches the one you locally regenerate (using $email and $msg_id, and of course your $secret). If they don't match, don't authorize them, if they do then you have a legitimately authorized request.

Footnote:
I wrote the "raw" methods into Data::Serializer to make translating between serializers much easier and that in fact does help with going between languages (to a point). But that of course is a separate discussion as you really shouldn't ever use a serializer for exchanging data on a web form.

Neil Neely 2009-11-28 21:05:29

Thanks - this is exactly what I was looking for.

Gurunandan 2009-11-29 04:44:39

ansaurus

tags:

views:

answers:

Passing Perl Data Structures as Serialized GET Strings to a Perl CGI program

related questions