Jeremy Burns
http://www.classoutfit.com
On 2 Apr 2013, at 16:40:59, ben@articad.cc wrote:
So you didn't turn it off?
So when people are browsing the site they are constantly hassled with "you have been blackholed"??
On Tuesday, April 2, 2013 4:12:49 PM UTC+1, Jeremy Burns wrote:I disagree, I'm afraid. The Security component is there to save your 4r53; so by default it is tight - you have to loosen it if you want to. If it were the other way around you'd deploy it thinking you were safe and then find out you weren't (and would shout louder). I too had a learning curve with the Security component but in the end it does what it say it will on the tin. The guide is also useful if you take the tine to read it.Class Outfit
Jeremy Burns
http://www.classoutfit.comOn 2 Apr 2013, at 16:06:35, b...@articad.cc wrote:
True, but should it be behaving so badly on installation. Noone really knows what "black holed" means, it sounds a lot worse than it actually is. Its confusing and somewhat terrifying for it to appear off the bat after a fresh install.
csrfUseOnce should be false by default. That's all I'm saying.
On Tuesday, April 2, 2013 3:58:37 PM UTC+1, Jeremy Burns wrote:When setting up the Security component there are settings that can help (although I am not entirely certain what risks - if any - these introduce):'Security' => array('csrfUseOnce' => false,'unlockedActions' => array('your_action'))Setting csrfUseOnce to false means it will reuse the existing tokens, which in turn means you can refresh the page without a black hole.The unlockedActions setting is clearly more risky as it effectively disables the component for that action - but in some cases it can be useful.Class Outfit
Jeremy Burns
http://www.classoutfit.comOn 2 Apr 2013, at 15:41:59, b...@articad.cc wrote:
To save people form themselves? To save the world? I really don't care.
Bottom line: That blackholed request thing is a usability nightmare. You merely have to reload the page
On Monday, April 1, 2013 6:41:44 AM UTC+1, rchavik wrote:
On Thursday, March 28, 2013 4:57:38 PM UTC+7, b...@articad.cc wrote:Security features like this that cause issues with basic flow, should be OFF by default. CakePHP is it's own worst enemy for leaving it in.
Why do you think CakePHP turns SecurityComponent on by default?--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+u...@googlegroups.com.
To post to this group, send email to cake...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en .
For more options, visit https://groups.google.com/groups/opt_out .
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+u...@googlegroups.com .
To post to this group, send email to cake...@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en .
For more options, visit https://groups.google.com/groups/opt_out .
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment