Le 30/12/2010 08:37, Иван Бессарабов a écrit :

Hi!

I've read http://advent.perldancer.org/2010/3 and I have a question.

In the blog implementation, described in the article there is so called "flash". There is a global variable where one stores some message that is available after redirect:

my $flash; sub set_flash { $flash = shift } sub get_flash { my $msg = $flash; $flash = ""; return $msg } )

post '/add' => sub { # some lines skipped set_flash('New entry posted!'); redirect '/'; };

I think there can be a problem with this thing: if there are a lot of requests to the site some user can see the flash message that was done for some other user.

Am I right?

Indeed, as the author of the article used a global variable to store the "flash" value, you're right. Nice catch ;)

I can see several ways of doing the same way but in more safe way: 1. redirect to page with parameter that identifies flash message (have a problem with not pretty urls)

Not a good way to do that, IMO, you'll need to URI-encode the message and will be limited in size (a query string has limited size). Not to mention the ugliness of the resulting URL, and the potential XSS issues (HTML/JS injections can be done easily with this strategy).

2. store id to flash message in a cookie

Works but rather complicated to implement, you need a table of flash messages and absolutely need to remember what message is bound to which ID. I have the feeling it's a bit fragile, if your code changes since the time you pushed some cookies, user might get strange flash messages. Also it sounds like being a rather complicated solution to a simple problem; which is always a bad sign ;)

3. store flash message in a session

The better way of handling that feature, to me. A flash message is in the scope of a single user, and should be volatile, this makes the session pattern a very good candidate. set_flash could look like: sub set_flash { my ($message) = @_; session flash => $message; } And get_flash, should basically be a session read + session remove of the flash entry: get_flash { my $flash = session('flash'); session flash => undef if defined $flash; return $flash; }

Any other ways?

I think the above strategy is the one used by Rails, so I think it's a good proof of concept ;) Anyone volunteers to implement that in a shiny Dancer::Plugin::FlashMessage? ;) Follow the myth! Whenever a plugin is mentioned in this list, it gets uploaded to CPAN at some point ;) -- Alexis Sukrieh