Friday, October 2, 2009

Re: Where request comes from?

You CAN... but it is painful to say the least.

Since you can't have your cake and eat it ;) your best bet is to look
inside the Security Component to see what parts you want to use and
then put that into your own component, extend the core component or
something like that. You can also look at the Security class but it
does not offer any turn-key solutions for you.

At the risk of being misinterpreted, I am tempted to say that you
should not care where requests comes from. Either a request is a
"public" request like /posts/display/123 or a protected action like /
posts/delete/123. Where the request comes from has little relevance in
the first case. In the second case it really has little relevance too
since you will be much more concerned about a valid session
identifying an authorized user, right?

If your security model needs to include "has been posted from exactly
my form on my page" then ajax should not be used for those requests.
IMHO.

/Martin

On Oct 1, 11:05 pm, "Dave Maharaj :: WidePixels.com"
<d...@widepixels.com> wrote:
> But no good for AJAX.
>
> I have AJAX forms in my app so I cant use the security component.
>
> Can I? I know it wont work for AJAX submitted forms. I was just curious.
>
> Dave
>
>
>
> -----Original Message-----
> From: Martin Westin [mailto:martin.westin...@gmail.com]
> Sent: October-01-09 5:45 PM
> To: CakePHP
> Subject: Re: Where request comes from?
>
> The Security Component does this kind of thing for you. For example, it will
> embed a hash value into the form which is a checksum of the form. If a field
> is missing or added it will be captured. If a hidden value is modified this
> will also be captured. Also sessions will be more secure and a lot harder to
> hijack since the session id is replaced for each request.
>
> And a buch more stuff.
>
> /Martin
>
> On Oct 1, 9:36 pm, Bert Van den Brande <cyr...@gmail.com> wrote:
> > I believe the FormHelper has some 'secure' stuff available for this
> > ... best to consult the documentation ...
>
> > On Thu, Oct 1, 2009 at 8:50 PM, Dave Maharaj :: WidePixels.com <
>
> > d...@widepixels.com> wrote:
> > >  Is there a way to determine / ensure that any requested action
> > > comes from the server?
>
> > > I mean more towards the aspect of forms. That when a form is
> > > submitted the request is coming from the site and not someone who
> > > made a form and trying to submit it to your site.
>
> > > Just curious
>
> > > Thanks,
>
> > > Dave
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)