IRIS provides us with anti login CSRF attack mitigation, however this is not the same as a CSRF attack, as login attacks only occur on the login form. There are currently no built-in tools to mitigate CSRF attacks on api calls and other forms, so this is a step in mitigating these attacks.

See the following link from OWASP for the definition of a CSRF attack:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

The method shown in this article for mitigating these attacks is currently not proactive, but a minimum that needs to be combined with other attack vector prevention methods,

Hello community! I have to work with queries using all kinds of methods like embedded sql and class queries. But my favorite is dynamic sql, simply because of how easy it is to manipulate them at runtime. The downside to writing a lot of these is the maintenance of the code and interacting with the output in a meaningful way. In an effort to have as much dynamism as possible so that we're not rewriting code constantly, and so that we have as little code possible (while still making sense and getting the job done), I made a function that takes in any dynamic query and outputs a dynamic object.

CSP pages extend %CSP.Page. What about html/css/js/etc that are hosted on the same web application? Is there any way to override how they're processed like with how you can override a CSP page and CSP REST logic?

Thank you!

David

Hi! I've been fiddling with linked tables to get data from other servers, and I encountered a problem that I'm curious about. Maybe I'm not using these tools as intended or there's more going on, so I'm asking here.

I'm running a query on linked table A, something simple like this:

select name from A where id = 5983658923646

And I get this error:

[SQLCODE: <-400>:<Fatal error occurred>]

  [%msg: <>]

If id, or anything comparison, is something smaller like 4345, it works just fine. It's only when the where reaches a certain length, not just id, that it fails.

After switching Dialects from CACHE to MSS

I thought I should be able to go to the application error log or look at d ^%ER when I get the following error in the browser when troubleshooting a CSP page:

An error occurred with the CSP application and has been logged to system error log (^ERRORS)

However nothing is being generated in these logs. Where are these logs being made?

Thank you

Hello community, simple question. I've been able to use a ternary operator equivalent by using $select for inline if statements using this pattern:

set x = 1

set result = $select(x = 1: "true", x = 0: "false")

These can be nested and can have a lot of options. But I'm curious if there is a native way of using ternary operators in ObjectScript?

Thank you

I'm experimenting with sending large amounts of data in a POST payload to be stored as a stream. However I've noticed that no matter how many characters are in the message, Cache only gets about 32k of them, cutting off the rest. Conversely as expected it can only send about 32k worth of characters in a payload.

Before I get creative, is there a REST message size limit that can be changed? Or is there something else going on here?

Thank you!

I'm sending data via ajax to my REST service, and while retrieving any information sent in the url parameter is easy when they're defined in the route, I can't get anything if I store information in the data parameter. For example:

$.ajax({
               url: "ServerURL",
               data: { "some": "json" } //How do I get this information?

...

I've looked at many common solutions such as here:

https://community.intersystems.com/post/lets-write-angular-1x-app-cach%C3%A9-rest-backend-part-9

However, %request seems empty for the most part. I can get the url of the request and the me

Hello,

Is there a way for Class Methods to be called from a CSP page before a user is authenticated, and without any session information?

Thanks!

Hello everyone,

What has been the best way for you to store and retrieve session information about a user for CSP projects? I can use these methods easily:

CSP Session Management

however I'd like to know if there's a better way to keep more permanent information, or should it all be kept in a class?

Additionally, using whatever method, what would be the best way to block user access to certain portions of the website or entire pages? Such as an admin section. With normal web development this wouldn't be too difficult, but I need help connecting this into CSP terms.

Thank you!