[Coldbox 5.3.x ][Lucee 5.2.7] Alternative to passing variables via URL

I would like to avoid passing variables by URL when I build links from one event to another between two views. My concern here is security and possible tampering with the URL query string. I managed to achieve this goal by leveraging hidden inputs in forms instead of using a query string with event.buildLink(). Typical use case is linking a list View (index.cfm) to other Views like in the example below:


#car_carrier_cd# #car_carrier_nm# #car_awb_prefix#

This way, the variable varCD become accessible in the Request Collection, but yet does not appear on the URL when the link is built. So far it works fine, but before I re-write all my code in this way, I would like to seek your opinion: does this practice make sense or is there a better way to achieve the same objective? Or, am I getting slightly paranoid with URLs?



Yes, you are being paranoid :slight_smile: A hacker can tamper with a form field just as easily as they can a URL variable. Also, changing every page in your site to be a POST sounds like a pain, since the user would be unable to refresh any pages without their browser yelling at them.

If you want to persist data and not have in the URL use the session scope directly, or if it is a relocation, use setNextEvent() with the persist feature, which uses flash RAM.

Hi Brad,

Thanks for this very valuable feedback! Saved many days of work…