Project

General

Profile

Feature #8321

Consider WResource::setChanged enhancement to invalidate stale WResource links

Added by Bruce Toll 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
04/08/2021
Due date:
% Done:

0%

Estimated time:

Description

Consider adding a setInvalidAfterChanged option on WResource which returns a 404 Page Not Found for stale links with outdated rand values. This provides protection against unintended reuse of stale resource URLs. For instance, an online editing program based on Wt might use a WResource to export a document with URL L1. If the end-user starts working on a different document and exports it, they will receive an updated URL L2. However, an attempt to reuse URL L1 will provide the newer document associated with L2 -- which might be surprising.

Attached, is a draft patch for early review/feedback that should apply to Wt master github 4.5.0-rc1-46-g169236d8. It adds a WResource method setInavlidAfterChanged() that modifies WResource behavior so that a 404 Page Not Found is returned on attempts to access a stale resource link. This change is opt-in, since the current behavior of unconditionally returning the latest resource output is useful in many cases.

In addition, the patch provides independent "rand" query parameters for each private resource to prevent leaking information about how many accesses a private resource has had (from other sessions).

I thought this enhancement might be relevant to the discussion in issue #8305. Suggestions are welcome.


Files

No data to display

Also available in: Atom PDF