You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We typically use session storage in multi-step views such as metadata/annotation upload - request 1 stores the data in the session and gives a preview to the user, then request 2 lets the user confirm and saves the data that was stored in the session.
Using sessions for this ensures that the user is the same for both requests, which is good. However, one potentially unsafe thing is that the session key is only unique per view (e.g. session['uploaded_annotations'], not unique per view-visit. So if the same user starts two annotation-uploads in different browser tabs, for example, then depending on the timing of events, CoralNet could end up trying to save tab 1's data when the confirm button is clicked in tab 2. It would be safer if each tab had its own unique session key, which is returned from request 1 and passed in during request 2.
Also, each view that uses sessions like this uses Django's cache API directly and provides its own 'not in session' error message when things go wrong. This could probably stand to be more DRY.
The text was updated successfully, but these errors were encountered:
We typically use session storage in multi-step views such as metadata/annotation upload - request 1 stores the data in the session and gives a preview to the user, then request 2 lets the user confirm and saves the data that was stored in the session.
Using sessions for this ensures that the user is the same for both requests, which is good. However, one potentially unsafe thing is that the session key is only unique per view (e.g.
session['uploaded_annotations'], not unique per view-visit. So if the same user starts two annotation-uploads in different browser tabs, for example, then depending on the timing of events, CoralNet could end up trying to save tab 1's data when the confirm button is clicked in tab 2. It would be safer if each tab had its own unique session key, which is returned from request 1 and passed in during request 2.Also, each view that uses sessions like this uses Django's cache API directly and provides its own 'not in session' error message when things go wrong. This could probably stand to be more DRY.
The text was updated successfully, but these errors were encountered: