I cant use the security component with AJAX calls if I read the docs
correct. But with your component I can include the security component and it
will play nice with AJAX? Add the tokens and so on to the forms?
Dave
-----Original Message-----
From: Miles J [mailto:mileswjohnson@gmail.com]
Sent: October-02-09 1:33 PM
To: CakePHP
Subject: Re: Where request comes from?
Well you can use my ajax handler, it wraps the security component so it
works with AJAX calls.
http://www.milesj.me/resources/script/ajax-handler-component
On Oct 2, 7:12 am, Martin Westin <martin.westin...@gmail.com> wrote:
> You CAN... but it is painful to say the least.
>
> Since you can't have your cake and eat it ;) your best bet is to look
> inside the Security Component to see what parts you want to use and
> then put that into your own component, extend the core component or
> something like that. You can also look at the Security class but it
> does not offer any turn-key solutions for you.
>
> At the risk of being misinterpreted, I am tempted to say that you
> should not care where requests comes from. Either a request is a
> "public" request like /posts/display/123 or a protected action like /
> posts/delete/123. Where the request comes from has little relevance in
> the first case. In the second case it really has little relevance too
> since you will be much more concerned about a valid session
> identifying an authorized user, right?
>
> If your security model needs to include "has been posted from exactly
> my form on my page" then ajax should not be used for those requests.
> IMHO.
>
> /Martin
>
> On Oct 1, 11:05 pm, "Dave Maharaj :: WidePixels.com"
>
> <d...@widepixels.com> wrote:
> > But no good for AJAX.
>
> > I have AJAX forms in my app so I cant use the security component.
>
> > Can I? I know it wont work for AJAX submitted forms. I was just curious.
>
> > Dave
>
> > -----Original Message-----
> > From: Martin Westin [mailto:martin.westin...@gmail.com]
> > Sent: October-01-09 5:45 PM
> > To: CakePHP
> > Subject: Re: Where request comes from?
>
> > The Security Component does this kind of thing for you. For example,
> > it will embed a hash value into the form which is a checksum of the
> > form. If a field is missing or added it will be captured. If a
> > hidden value is modified this will also be captured. Also sessions
> > will be more secure and a lot harder to hijack since the session id is
replaced for each request.
>
> > And a buch more stuff.
>
> > /Martin
>
> > On Oct 1, 9:36 pm, Bert Van den Brande <cyr...@gmail.com> wrote:
> > > I believe the FormHelper has some 'secure' stuff available for
> > > this ... best to consult the documentation ...
>
> > > On Thu, Oct 1, 2009 at 8:50 PM, Dave Maharaj :: WidePixels.com <
>
> > > d...@widepixels.com> wrote:
> > > > Is there a way to determine / ensure that any requested action
> > > > comes from the server?
>
> > > > I mean more towards the aspect of forms. That when a form is
> > > > submitted the request is coming from the site and not someone
> > > > who made a form and trying to submit it to your site.
>
> > > > Just curious
>
> > > > Thanks,
>
> > > > Dave
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment