Tokens - am I missing something?

> Hey all-
>
> Just a question out of curiosity: Is there anything that tokens do  
> that variables/action_params/etc., don't? The docs say "Tokens are
> useful because they do not affect the operation of a database  
> action," but it seems that if you're being explicit about your  
> database interaction, that should be true of data type.
>
> I've been using Lasso since 3.6, and I've just plain never used  
> them. Wondering if there's some nifty functionality that they offer  
> or are they a legacy of "classic" Lasso, or ???
>
> No big, just wondering...
>
> -robert-
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

> Session variables are your friend too.  Tokens are so very 1984.
>
>
> On 2009-11-05, at 3:40 PM, Kevin Black wrote:
>
>> I use tokens a lot. I allows me to carry information from one page  
>> to another without having to do an action_param which can be  
>> captured by sniffing programs over the internet. Tokens are a bit  
>> more secure. It also keeps from having to use cookies. The best  
>> part of Tokens after 3.6 is that you can now name them. In 3.6 and  
>> prior, you were limited to only one token, but now you can have as  
>> many as you like.
>
>
>
> _____________
> Rich in Toronto
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

> On Nov 5, 2009, at 12:40 PM, Kevin Black wrote:
>
>> I use tokens a lot. I allows me to carry information from one page  
>> to another without having to do an action_param which can be  
>> captured by sniffing programs over the internet. Tokens are a bit  
>> more secure.
>
> It sounds like you're discussing variables stored in a session. From  
> most perspectives, there's no difference between [Action_Param
> ('foo')] and [Token_Value('foo')]. The latter simply has "-token."  
> prepended to the name, while passing between the browser and the  
> server.
>
>
> --
> Douglas Burchard, President
> DouglasBurchard.com, Web Applications
> 15024 NE 66th Street
> Redmond, WA  98052, USA
>
> direct: (206) 227-8161
> solutions@...
> http://www.douglasburchard.com/
>
>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

> About the only difference is that actions can be captured by sniffers
> over the web. It's one of the reasons session variables was created
> since form actions are vulnerable unless on a secure page. Tokens and
> session variables are not similarly vulnerable.
>
> On Nov 5, 2009, at 4:16 PM, Douglas Burchard wrote:
>
>> On Nov 5, 2009, at 12:40 PM, Kevin Black wrote:
>>
>>> I use tokens a lot. I allows me to carry information from one page
>>> to another without having to do an action_param which can be
>>> captured by sniffing programs over the internet. Tokens are a bit
>>> more secure.
>>
>> It sounds like you're discussing variables stored in a session. From
>> most perspectives, there's no difference between
>> [Action_Param('foo')] and [Token_Value('foo')]. The latter simply has
>> "-token." prepended to the name, while passing between the browser
>> and the server.
>>
>>
>> --
>> Douglas Burchard, President
>> DouglasBurchard.com, Web Applications
>> 15024 NE 66th Street
>> Redmond, WA  98052, USA
>>
>> direct: (206) 227-8161
>> solutions@...
>> http://www.douglasburchard.com/
>>
>>
>>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>
> Kevin Black
> tech@...
>
>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>
>

> AFAIK, tokens are not less vulnerable. Outside of lasso, they're  
> just regular form params. They're just specially named form fields  
> for use by lasso and would be just as vulnerable as any other form  
> parameters.
>
> -Trevor
>
> on 11/6/09 8:13 AM Kevin Black wrote:
>> About the only difference is that actions can be captured by  
>> sniffers over the web. It's one of the reasons session variables  
>> was created since form actions are vulnerable unless on a secure  
>> page. Tokens and session variables are not similarly vulnerable.
>>
>> On Nov 5, 2009, at 4:16 PM, Douglas Burchard wrote:
>>
>>> On Nov 5, 2009, at 12:40 PM, Kevin Black wrote:
>>>
>>>> I use tokens a lot. I allows me to carry information from one  
>>>> page to another without having to do an action_param which can be  
>>>> captured by sniffing programs over the internet. Tokens are a bit  
>>>> more secure.
>>>
>>> It sounds like you're discussing variables stored in a session.  
>>> From most perspectives, there's no difference between [Action_Param
>>> ('foo')] and [Token_Value('foo')]. The latter simply has "-token."  
>>> prepended to the name, while passing between the browser and the  
>>> server.