SecurityComponent work with Ajax. All I see is form security being
disabled (lines 85-87).
Making Ajax work with SecurityComponent would involve actually
validating that an ajax post came from the correct form. As with
session ids, the problem again is the asynchronous part of Ajax.
The only half-secure alternative I find remotely practical is to set a
hash as a global javascript variable on each "real" page load and
store that in the session. On Ajax requests you let that hash stick
around and you require ajax to pass that hash along each call. This
would require the session and the last full page to be hijacked to be
able to post data via Ajax.
/Martin
On Oct 2, 6:02 pm, Miles J <mileswjohn...@gmail.com> wrote:
> Well you can use my ajax handler, it wraps the security component so
> it works with AJAX calls.
>
> http://www.milesj.me/resources/script/ajax-handler-component
>
> On Oct 2, 7:12 am, Martin Westin <martin.westin...@gmail.com> wrote:
>
>
>
> > You CAN... but it is painful to say the least.
>
> > Since you can't have your cake and eat it ;) your best bet is to look
> > inside the Security Component to see what parts you want to use and
> > then put that into your own component, extend the core component or
> > something like that. You can also look at the Security class but it
> > does not offer any turn-key solutions for you.
>
> > At the risk of being misinterpreted, I am tempted to say that you
> > should not care where requests comes from. Either a request is a
> > "public" request like /posts/display/123 or a protected action like /
> > posts/delete/123. Where the request comes from has little relevance in
> > the first case. In the second case it really has little relevance too
> > since you will be much more concerned about a valid session
> > identifying an authorized user, right?
>
> > If your security model needs to include "has been posted from exactly
> > my form on my page" then ajax should not be used for those requests.
> > IMHO.
>
> > /Martin
>
> > On Oct 1, 11:05 pm, "Dave Maharaj :: WidePixels.com"
>
> > <d...@widepixels.com> wrote:
> > > But no good for AJAX.
>
> > > I have AJAX forms in my app so I cant use the security component.
>
> > > Can I? I know it wont work for AJAX submitted forms. I was just curious.
>
> > > Dave
>
> > > -----Original Message-----
> > > From: Martin Westin [mailto:martin.westin...@gmail.com]
> > > Sent: October-01-09 5:45 PM
> > > To: CakePHP
> > > Subject: Re: Where request comes from?
>
> > > The Security Component does this kind of thing for you. For example, it will
> > > embed a hash value into the form which is a checksum of the form. If a field
> > > is missing or added it will be captured. If a hidden value is modified this
> > > will also be captured. Also sessions will be more secure and a lot harder to
> > > hijack since the session id is replaced for each request.
>
> > > And a buch more stuff.
>
> > > /Martin
>
> > > On Oct 1, 9:36 pm, Bert Van den Brande <cyr...@gmail.com> wrote:
> > > > I believe the FormHelper has some 'secure' stuff available for this
> > > > ... best to consult the documentation ...
>
> > > > On Thu, Oct 1, 2009 at 8:50 PM, Dave Maharaj :: WidePixels.com <
>
> > > > d...@widepixels.com> wrote:
> > > > > Is there a way to determine / ensure that any requested action
> > > > > comes from the server?
>
> > > > > I mean more towards the aspect of forms. That when a form is
> > > > > submitted the request is coming from the site and not someone who
> > > > > made a form and trying to submit it to your site.
>
> > > > > Just curious
>
> > > > > Thanks,
>
> > > > > Dave
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment