URL真的可以被认为是HTTP响应的唯一密钥吗? [英] Can a URL really be considered to be the only key for an HTTP response?
问题描述
这个问题可以看作是实践问题和理论问题。
我正在设计一个涉及HTTP客户端(Flash Player应用程序)和HTTP服务器后端的系统。每个注册用户都有自己的私有图像库。图像可以上传,当然也可以随后检索。
由于用户使用带有会话标识符的cookie进行身份验证,我突然明白了(因而问题)我可以提供以下类型的URL用于经过身份验证的客户端检索图像(我的术语中的资产)。注意,资产标识符甚至在用户之间也是唯一的,即,没有两个用户都将具有ID为555的ID的资产。此外,假设资产标识符是真正持久的,即ID是不可重用的。我想到的网址是:
http:// myserver / user / asset /< asset_id>
Brackets表示变量值,即显然这些和'asset_id'不能在这里逐字逐句,它们表示实际的资产标识符。 HTTP请求到上述URL应该携带带有用户会话标识符的cookie标头,该标头唯一地验证并授权用户作为所请求资产的所有者。
<我非常追求永久性URL(酷URI不会改变,如Tim Berners-Lie所说),但显然,由于资产资源对于上传/拥有它们的用户是私有的,所以它们不是由任何中间代理缓存,只有用户代理。
我们可以将上面的URL视为识别用户资产的好方法吗?我担心的是,响应将根据是否提供有效的会话标识符cookie标头而有所不同,因此URL和响应之间不存在一对一的关系。但是没有太多可以做的,是吗?服务器有检查用户是否有权检索资产,对吗?如果你们在这里有更好的解决方案建议,我也很想听到它。谢谢。
你已经说完了,我不会改变你的策略:-)如果是未经授权的用户试图访问某些资产,只需给他一个403 http代码......在这种情况下,这是正确和预期的响应
The question can be seen as both practical and theoretical.
I am designing a system involving a HTTP client (Flash Player application) and an HTTP server "backend". There are registered users each with their own private image library. Images can be uploaded and of course subsequently retrieved.
Since users authenticate with cookies carrying session identifiers, it suddenly became clear to me (and hence the question) that I can provide the following kind of URL for an authenticated client to retrieve an image ('asset' in my terminology). Note that asset identifiers are unique even across users, i.e. no two users will both have an asset with ID of say, 555. Also, an asset identifier is assumed to be REALLY persistent, i.e. the ID is non-reusable. The URL I was thinking of is:
http://myserver/user/asset/<asset_id>
Brackets denote variable value, i.e. obviously these and the 'asset_id' are not to be taken verbatim here, they denote the actual asset identifier. The HTTP request "to" the above URL is expected to carry a cookie header with the user session identifier, which uniquely authenticates and authorizes the user as the owner of the asset requested.
I am very much after permanent URLs ("Cool URIs don't change" as Tim Berners-Lie said once), but obviously, since the asset resources are private to the user that uploads/owns them, they are not to be cached by any intermediate proxies, only user agents.
Can we consider the URL above as a good way to identify a user asset? My worry is that the response will vary depending on whether a valid session identifier cookie header is supplied or not, and so there is not a one-to-one relationship between the URL and the response. But there is not much one can do, is it? Server HAS to check that the user is authorized to retrieve the asset, right? If you guys have any better suggestions for a solution here, I am also anxious to hear it. Thanks.
you've said it all, I wouldn't change a thing about your strategy :-) If an unauthorized user tries to access some asset, simply give him a 403 http code ... that's the correct and expected response in that case
这篇关于URL真的可以被认为是HTTP响应的唯一密钥吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
