it works with AJAX calls.
http://www.milesj.me/resources/script/ajax-handler-component
On Oct 2, 7:12 am, Martin Westin <martin.westin...@gmail.com> wrote:
> You CAN... but it is painful to say the least.
>
> Since you can't have your cake and eat it ;) your best bet is to look
> inside the Security Component to see what parts you want to use and
> then put that into your own component, extend the core component or
> something like that. You can also look at the Security class but it
> does not offer any turn-key solutions for you.
>
> At the risk of being misinterpreted, I am tempted to say that you
> should not care where requests comes from. Either a request is a
> "public" request like /posts/display/123 or a protected action like /
> posts/delete/123. Where the request comes from has little relevance in
> the first case. In the second case it really has little relevance too
> since you will be much more concerned about a valid session
> identifying an authorized user, right?
>
> If your security model needs to include "has been posted from exactly
> my form on my page" then ajax should not be used for those requests.
> IMHO.
>
> /Martin
>
> On Oct 1, 11:05 pm, "Dave Maharaj :: WidePixels.com"
>
> <d...@widepixels.com> wrote:
> > But no good for AJAX.
>
> > I have AJAX forms in my app so I cant use the security component.
>
> > Can I? I know it wont work for AJAX submitted forms. I was just curious.
>
> > Dave
>
> > -----Original Message-----
> > From: Martin Westin [mailto:martin.westin...@gmail.com]
> > Sent: October-01-09 5:45 PM
> > To: CakePHP
> > Subject: Re: Where request comes from?
>
> > The Security Component does this kind of thing for you. For example, it will
> > embed a hash value into the form which is a checksum of the form. If a field
> > is missing or added it will be captured. If a hidden value is modified this
> > will also be captured. Also sessions will be more secure and a lot harder to
> > hijack since the session id is replaced for each request.
>
> > And a buch more stuff.
>
> > /Martin
>
> > On Oct 1, 9:36 pm, Bert Van den Brande <cyr...@gmail.com> wrote:
> > > I believe the FormHelper has some 'secure' stuff available for this
> > > ... best to consult the documentation ...
>
> > > On Thu, Oct 1, 2009 at 8:50 PM, Dave Maharaj :: WidePixels.com <
>
> > > d...@widepixels.com> wrote:
> > > > Is there a way to determine / ensure that any requested action
> > > > comes from the server?
>
> > > > I mean more towards the aspect of forms. That when a form is
> > > > submitted the request is coming from the site and not someone who
> > > > made a form and trying to submit it to your site.
>
> > > > Just curious
>
> > > > Thanks,
>
> > > > Dave
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment