I was reading the docs and noticed that PRC was recommended for security over RC and that the PRC was private.
In the context of requests going over HTTPS: is that still the case or is there no difference between the two scopes?
I was wanting to get some clarification/detail on the difference.
It wouldn’t have anything to do with the request protocol.
RC is a scope that is used for the data coming in from the request ( FORM, URL, JSON or XML payloads, etc ). In essence, anything in it can be considered for “public” consumption.
PRC is the “Private Request Collection”, which provides a place for you to store items that might be sensitive or you would not want being sent in log messages, etc.
My rule of thumb is that the RC receives only simple values or objects - strings, numbers, structs, arrays. The PRC is where I store things like in-request Components, entities, secrets, etc.
This separation also helps when using third-party logging appenders - like Sentry, Rollbar, StacheBox, etc. - because those appenders send a snapshot of the RC with their error logs.
Tangentially, what is the current zeitgeist on using prc vs. args vs. viewVariables scopes? While I completely understand when to use rc vs. prc, I’m a bit less certain about when and what to stick in those three.
@Andrew_Kretzer Typically I use view args when I am looping and rendering views multiple times. The PRC scope is where I store objects and variables I wouldn’t want exposed. So a typical request might use those in the following way:
- Layout renders
- Main view renders, its own content is rendered using the PRC/RC variables, but then…
- Grabs an object from the PRC ( e.g. an entity ) and loops a relationship collection…
- In each iteration of the loop, view args are assembled and are passed to another
renderView ( now just
view() ) call - which keeps those arguments isolated to the specific view being rendered
Personally, I never use the
variables scope in views at all, within a Coldbox application. Because the supertype methods are available, between RC, PRC and view args, those scopes serve the needs and ensure there is no potential mutation outside of those three collections.
Thanks @jclausen - that’s exactly as I’ve been doing.
Thank you for the info!
So, for operations that involve the user entering, editing, and deleting input, the RC would be used. An example of PRC use would be to store an instance of say a cfc used for payments?
Yes. That would be a good example use case