digitally signed URLs

[Annet]

I read chapter 29/04 on digitally signed urls. and have a question.

I have sort of a router function which routes requests:

def router():
    node_id = request.args(0, cast=int)
    row = db().select()
    if row:
        if row.view_id == 'bsc'
            redirect(URL('site', 'index', args=[nodeID, viewID, navID], vars=dict(view='bsc'), hmac_key=KEY))

     ....
     return None

I'd like to digitally sign the redirect URL, and then in site/index verify it to make sure the visitor
did not alter it.

def index()
    if not URL.verify(request, hmac_key=KEY) : raise: HTTP(403)
   ....
    return locals()

I wonder whether this is the correct way to implement digitally signed urls.
What is the best way to generate a hmac_key to assign to KEY


Kind regards,

Annet

[Massimo Di Pierro]

if the user is logged-in you do not have to pass an hmac_key. It is automatically generated per-session.

[Annet]

Hi Massimo,

Thanks for your reply.

if the user is logged-in you do not have to pass an hmac_key. It is automatically generated per-session.

The user is not logged in, the router function is part of the public functions of my application. The URL
contains three arguments that determine which function is being executed for a particular node.



In the workgroup I read this reply, posted by Anthony:

Well, maybe we should reserve user_signature for logged in users only (otherwise would be a backward compatibility issue), but a separate session_signature argument might be an option. Yes, the idea is for it to generate a session.hmac_key if it doesn't exist. Not sure how useful this would be.



That's what I am looking for.


Kind regards,

Annet