[Dancer-users] flash implementation

Alexis Sukrieh sukria at sukria.net
Mon Jan 3 16:51:24 CET 2011


Le 30/12/2010 08:37, Иван Бессарабов a écrit :
> Hi!
>
> I've read http://advent.perldancer.org/2010/3 and I have a question.
>
> In the blog implementation, described in the article there is so called "flash".
> There is a global variable where one stores some message that is
> available after redirect:
>
> my $flash;
> sub set_flash { $flash = shift }
> sub get_flash { my $msg = $flash; $flash = ""; return $msg } )
>
> post '/add' =>  sub {
>     # some lines skipped
>     set_flash('New entry posted!');
>     redirect '/';
> };
>
> I think there can be a problem with this thing: if there are a lot of
> requests to the site some user can see the flash message that was done
> for some other user.
>
> Am I right?

Indeed, as the author of the article used a global variable to store the 
"flash" value, you're right.

Nice catch ;)

> I can see several ways of doing the same way but in more safe way:
> 1. redirect to page with parameter that identifies flash message (have
> a problem with not pretty urls)

Not a good way to do that, IMO, you'll need to URI-encode the message 
and will be limited in size (a query string has limited size). Not to 
mention the ugliness of the resulting URL, and the potential XSS issues 
(HTML/JS injections can be done easily with this strategy).

> 2. store id to flash message in a cookie

Works but rather complicated to implement, you need a table of flash 
messages and absolutely need to remember what message is bound to which 
ID. I have the feeling it's a bit fragile, if your code changes since 
the time you pushed some cookies, user might get strange flash messages.
Also it sounds like being a rather complicated solution to a simple 
problem; which is always a bad sign ;)

> 3. store flash message in a session

The better way of handling that feature, to me.

A flash message is in the scope of a single user, and should be 
volatile, this makes the session pattern a very good candidate.

set_flash could look like:

     sub set_flash {
         my ($message) = @_;
         session flash => $message;
     }

And get_flash, should basically be a session read + session remove of 
the flash entry:

     get_flash {
         my $flash = session('flash');
         session flash => undef if defined $flash;
         return $flash;
     }

> Any other ways?

I think the above strategy is the one used by Rails, so I think it's a 
good proof of concept ;)

Anyone volunteers to implement that in a shiny 
Dancer::Plugin::FlashMessage? ;)

Follow the myth! Whenever a plugin is mentioned in this list, it gets 
uploaded to CPAN at some point ;)

-- 
Alexis Sukrieh


More information about the Dancer-users mailing list