PRC vs. RC : What is the difference when used over https:?

I was reading the docs and noticed that PRC was recommended for security over RC and that the PRC was private.

In the context of requests going over HTTPS: is that still the case or is there no difference between the two scopes?

I was wanting to get some clarification/detail on the difference.

Thank you!

It wouldn’t have anything to do with the request protocol.

The RC is a scope that is used for the data coming in from the request ( FORM, URL, JSON or XML payloads, etc ). In essence, anything in it can be considered for “public” consumption.

The PRC is the “Private Request Collection”, which provides a place for you to store items that might be sensitive or you would not want being sent in log messages, etc.

My rule of thumb is that the RC receives only simple values or objects - strings, numbers, structs, arrays. The PRC is where I store things like in-request Components, entities, secrets, etc.

This separation also helps when using third-party logging appenders - like Sentry, Rollbar, StacheBox, etc. - because those appenders send a snapshot of the RC with their error logs.

Tangentially, what is the current zeitgeist on using prc vs. args vs. viewVariables scopes? While I completely understand when to use rc vs. prc, I’m a bit less certain about when and what to stick in those three.

@Andrew_Kretzer Typically I use view args when I am looping and rendering views multiple times. The PRC scope is where I store objects and variables I wouldn’t want exposed. So a typical request might use those in the following way:

1. Layout renders
2. Main view renders, its own content is rendered using the PRC/RC variables, but then…
3. Grabs an object from the PRC ( e.g. an entity ) and loops a relationship collection…
4. In each iteration of the loop, view args are assembled and are passed to another renderView ( now just view() ) call - which keeps those arguments isolated to the specific view being rendered

Personally, I never use the variables scope in views at all, within a Coldbox application. Because the supertype methods are available, between RC, PRC and view args, those scopes serve the needs and ensure there is no potential mutation outside of those three collections.

Thanks @jclausen - that’s exactly as I’ve been doing.

Thank you for the info!

So, for operations that involve the user entering, editing, and deleting input, the RC would be used. An example of PRC use would be to store an instance of say a cfc used for payments?

Yes. That would be a good example use case

My understanding is that the RC can be passed from outside the handler method, like a URL, FORM or route param name, into the handler method and then down into the view. The RC scope can also be set inside the handler method.
The PRC is only set inside the handler method, making the data completely safe when handed down to the view.
What you wouldn’t want to do is something like: prc.someVar = rc.someFormVar;
Can someone confirm this for me?