Execution Order of 4D's Special Web Methods

The methods are executed in the order indicated in the table below (from left to right).

• "CW" = Compiler_Web
• "Var Init" = Setting of variable values based on submitted HTML form
• "OWA" = On Web Authentication
• "OWC" = On Web Connection

Why "Good" URLs Aren't Good

A "Good URL" is one that directly maps to a file on disk; a"Bad URL" is one that does not. The importance of this is that "Good URLs" can be served without going through either On Web Authentication or On Web Connection. While this may be fine for some files, it presents a loophole in any attempt at a consistently applied security policy.

One work-around to this problem is to make all URLs "bad" by omitting a directory in the database preference settings for root web directory, and then adding it programatically. So, if your web documents are in "/webdocs/", then you might set the web root folder in database properties to be "/" and programatically add "webdocs/" to it.

Why 4DACTION Should Be Avoided

The flaw in On Web Authentication is that it is run every time 4DSCRIPT is called. As a result, On Web Authentication is not a good place to actually do user authentication, because you may wind up doing it hundreds of times per page.

On Web Connection is the best place to do user authentication. However, 4DACTION-based URLs do not go through On Web Connection. The solution is to ban the use of 4DACTION in your application by putting a trap for it in On Web Authentication. (There, we found a use for it.) This will enforce a uniform security policy in your application.

Simply put, there is never a justification for going directly into a 4D method using 4DACTION. The same method can be called by code in (or called by) On Web Connection.

Tags: 4D, 4D-based-web-sites
Categories: 4D, Web Application Development