$webinfo: Salt Topics
The SALT, SALTIN, and SALTOUT functions of $webinfo hold a random string that is used to generate and verify hashed HTTP requests and responses for static server pages.
$webinfo("SaltTopic")
{= SaltString}
vString = $webinfo("SaltTopic")
Parameters
|
Parameter |
Data Type |
Description |
|---|---|---|
|
Salt |
String |
Salt string used to generate and verify a hash using webgen and webget respectively. |
|
SaltIn |
String |
Salt string used by webget to verify a hash. |
|
SaltOut |
String |
Salt string used by webgen to generate a hash. |
Use
Use only in static server pages.
Description
A salt is a string that can be used to hash data, in this case to verify occurrence information on the server after a round-trip to the browser. This extends the security of your web application, in addition to that provided by $SERVER_SECRET in the assignment file. The SaltString that you provide can be a user name, or a session ID, login specific information, or any other string that you can reproduce it in your Uniface web application on the next request.
If you set a SaltString for a static server page, the same string must be used for both the webgen command, which generates the USP page, and the webget command, which loads the client input.
The salt topics are cleared before the preRequest trigger and after the postRequest trigger of the server's application shell are fired, ensuring that the salt string exists only for the duration of the HTTP request. You should therefore set the SaltString in the preRequest trigger of the application shell, or in the preActivate trigger of the component.
Using a Salt
For example, you could use the following code in the preRequest trigger of a web application shell to use the web session ID as a salt. It ensures that a different hash is used for a different session.
After a session start, the salt is used by webgen to generate a hash value for occurrence information that is sent to the browser. If the user modifies and stores an occurrence, webget uses the salt to check that the hashed occurrence information matches.
After the session expires, it is no longer valid,
so validation by webget for next request will fail. You should therefor check
for error -259 <UWEBERR_HASH> after webget. To handle
this error, you could, for example, return to the login page.
trigger preRequest; of a web application shell
variables
string SID
endvariables
; Use web session ID as a salt.
getitem/id SID, $webinfo("WEBSERVERCONTEXT"), "SESSION"
$webinfo("SALT") = SID
...
end
