倒计时器激活控制器方法
我正在构建一个调查页面,用户在有限的时间内回答所有问题。给定的时间以@test.time_allowed 的形式存储在模型中,它是表示秒的整数。
我需要一种简单且不可用户篡改的方法来让计时器显示在视图上,并在计时器减至 0 时执行控制器操作。我该如何实现这一点?
我是一个相对初学者,所以任何具体的答案都会非常有帮助。谢谢。
---更新---
@Bryan:
我认为如果计时是在服务器端完成的,那么有一种防篡改的方法吗?例如,正如您所建议的,客户端可能有一个javascript计时器,但是在提交时不能根据窗口初始加载的时间检查提交时间吗?
I am building a survey page where users have a limited time to answer all their questions. The time given is stored in the model as @test.time_allowed, which is an integer representing seconds.
I need to have a simple and non-user-tamperable way to get a timer to display on the view and execute a controller action when it winds down to 0. How can I accomplish this?
I'm a relative beginner so any specific answers would be really helpful. Thank you.
---UPDATE---
@Bryan:
I assume there is a tamper proof way if the timing is done server side? For example, there might be a javascript timer on the client side as you suggested, but upon submission can't the submission time be checked against the time of the window's initial load?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
由于从客户端返回的数据永远不可能完全可信,因此服务器必须以某种方式知道最初生成的表单的时间戳是什么。这可以通过在会话或数据库中保存变量来完成,但这是有问题的。相反,服务器可以在表单中放置时间戳(加密或签名),以确保客户端没有更改它。然后,服务器可以根据需要拒绝提交。在客户端,单独的逻辑可以处理 UI 部分,向用户提供有关时间限制的反馈,但最终这仅与服务器处理松散耦合。
详细信息:
服务器应生成两个表单字段:一个带有系统时间戳
time = Time.now.to_i来跟踪表单的生成时间,另一个带有签名Digest::MD5。 hexdigest(time.to_s.concat('Some-secret-string-1234'))(请注意,此处对时间戳表单字段和签名表单字段使用相同的时间值)。这将验证表单是否使用服务器生成的时间戳提交,且客户端未更改该时间戳。您还可以发送另一个带有时间限制的表单字段。
在客户端,读取时间戳,使用 setTimeout 和时间限制来生成倒计时或您想要在前端执行的任何操作。
提交表单后,通过使用与之前相同的方法重新生成 MD5 签名来验证随表单提交的时间戳。确保它与表格提交的签名相符。然后,将时间戳添加到超时,并确保它晚于当前服务器时间。如果是这样,您就在规定的时间内提交了有效的提交。
您可能需要在服务器上比在客户端上给予更多的超时余地,可能是几秒钟,以考虑网络延迟,否则用户可能会看到还剩一秒,单击“提交”,然后到收到服务器请求后,计时器似乎已过期。
请务必添加
require 'digest/md5'才能访问 MD5。使用这样的 MD5 签名是验证客户端是否未以无状态方式更改表单中的关键参数的好方法,无论您希望它们是什么。对你的技巧包来说是一个很好的补充。
祝你好运!
Since data coming back from the client can never be fully trusted, the server must somehow know what the timestamp of the originally generated form was. This could be done by saving variables in the session or database, but this is problematic. Instead, the server can place a timestamp in the form, either encrypted, or signed, to ensure the client has not altered it. The server can then reject the submission as necessary. On the client, separate logic can handle the UI portion, giving the user feedback on the time limit, but ultimately this only loosely coupled to the server handling.
Details:
The server should generate two form fields: one with the system timestamp
time = Time.now.to_ito track when the form was generated, and another with a signatureDigest::MD5.hexdigest(time.to_s.concat('Some-secret-string-1234'))(note using the same time value here for the timestamp form field and signature form field). This validates that the form is submitted with a server-generated timestamp that has not been altered by the client.You might also send another form field with the time limit.
On the client, read the timestamp, use setTimeout and the time limit to generate a countdown or whatever you want to do on the front end.
When the form is submitted, authenticate the timestamp submitted with the form by regenerating the MD5 signature using the same method as before. Make sure it matches the signature submitted by the form. Then, add the timestamp to the timeout, and make sure it's later than the current server time. If so, you have a valid submission, within your time constraint.
You probably will need to give a little more leeway on the timeout at the server than on the client, maybe a few seconds, to account for network delays, otherwise the user might see one second remaining, click submit, and then by the time the server request is received, it will seem like the timer has expired.
Be sure to add
require 'digest/md5'to get access to MD5.Using MD5 signatures like this is a great way to verify that a client has not altered key parameters in a form in a stateless manner, whatever you would like them to be. A good addition to your bag of tricks.
Good luck!
没有 100% 防篡改的方法来实现此目的,因为您需要使用 JavaScript 来执行此操作,而 JavaScript 可能会被足够恶意的用户关闭或操纵。
但是,如果您不关心这些问题,您可以简单地在页面上设置超时,以便在经过几秒后提交表单。为此,您需要类似于以下内容的内容。显然,需要从服务器端的模板将
timeInMilliseconds生成到页面中。There's no 100% tamper proof way of implementing this since you would need to do this using JavaScript which can be turned off or manipulated by a sufficiently malicious user.
However if you aren't concerned about these issues you could simply set a timeout on the page to submit the form after the number of seconds have elapsed. To do this you would need something similar to the follow. Obviously
timeInMillisecondswould need to be generated into the page from the template on the server side.为正在进行的调查创建模型,并添加
after_create过滤器,将截止日期设置为Time.now + Survey_duration。在模型中保留拒绝延迟发送答案的逻辑。Create model for ongoing surveys, and add
after_createfilter that will set deadline toTime.now + survey_duration. Keep logic that will deny late sending of answers in model.