Preferred Method To Implement Foreign Keys

revjrblack · March 20, 2019, 7:47pm

Which of these methods is preferred: an ID transported via URL to go to the next form page, or setup a SESSION variable to use through out the site?

For instance, the page starts with inserting the data for a user via form inputs. Then you choose that user from the list so that you can to add more details to the his profile, i.e., family info, job info, etc. All this is accomplished by transporting the identity of that user to the next page so that it can be used to connect all of his other details in other tables.

My question is which method of these two, URL or SESSION, is the most secure method of moving through this process? What would be the pros and cons between these two methods? Are there other means of doing this? Or does it even matter?

Thanks for you input and help.

brad · March 21, 2019, 9:20pm

Personal preference: I tend to lean towards session variables for that sort of thing as they are hidden from the user. URL Parameters are displayed to the user in most cases.

revjrblack · March 20, 2019, 8:33pm

Thanks!

Dave · March 20, 2019, 9:08pm

You could consider cookies too. You can always set a re-direct if the Cookie is interfered with and the data source fails to load (Invalid Dynamic Event for example), or a show/hide region based on data returned successfully, same for Sessions or URL variables. This way you can safe guard in some ways the page itself should anything be a miss.

updates · March 20, 2019, 10:18pm

Hi @revjrblack
using parameters by URL, at the end you will always find someone who will change the number in the URL parameters…

I made now a reserved area all with Session in the State Management. People see nothing and you manage everything very easily.

Dave · March 20, 2019, 10:42pm

So important to use a random string/hash/uid for any such exposed variable… Longer the better!

May sacrifice some performance DB side but security wise sometimes it’s a worthy compromise.

Dave · March 20, 2019, 10:49pm

Further. You can log all hits to a specific page which is triggered if there are no results due to various forms of injection techniques. Three hits in a set period of time creates an account lock-down or at least an alert (you could use the Mailer component to send an E-Mail to an Admin for example).

revjrblack · March 22, 2019, 3:32pm

What would the equivalent be to the link example of webpage.com?id=3 if it is to be replaced with a session variable?

brad · March 22, 2019, 4:05pm

It would just be webpage.com.

revjrblack · March 22, 2019, 7:37pm

Haha… of course.

updates · March 22, 2019, 10:56pm

on the link to the next page you must set

the link must set a href="#"
then on dynamic event:

on mouse click
then
assign the session variable (use datapicker to take the value)
then
browser component go to …

I m sorry cannot add screenshot I’m on my phone…