I disagree, I'm afraid. The Security component is there to save your 4r53; so by default it is tight - you have to loosen it if you want to. If it were the other way around you'd deploy it thinking you were safe and then find out you weren't (and would shout louder). I too had a learning curve with the Security component but in the end it does what it say it will on the tin. The guide is also useful if you take the tine to read it.
Jeremy Burns Class Outfit http://www.classoutfit.com On 2 Apr 2013, at 16:06:35, b...@articad.cc wrote: > > True, but should it be behaving so badly on installation. Noone really knows > what "black holed" means, it sounds a lot worse than it actually is. Its > confusing and somewhat terrifying for it to appear off the bat after a fresh > install. > > csrfUseOnce should be false by default. That's all I'm saying. > > On Tuesday, April 2, 2013 3:58:37 PM UTC+1, Jeremy Burns wrote: > When setting up the Security component there are settings that can help > (although I am not entirely certain what risks - if any - these introduce): > > 'Security' => array( > 'csrfUseOnce' => false, > 'unlockedActions' => array( > 'your_action' > ) > ) > > Setting csrfUseOnce to false means it will reuse the existing tokens, which > in turn means you can refresh the page without a black hole. > > The unlockedActions setting is clearly more risky as it effectively disables > the component for that action - but in some cases it can be useful. > > Jeremy Burns > Class Outfit > > http://www.classoutfit.com > > On 2 Apr 2013, at 15:41:59, b...@articad.cc wrote: > >> >> To save people form themselves? To save the world? I really don't care. >> >> Bottom line: That blackholed request thing is a usability nightmare. You >> merely have to reload the page >> >> On Monday, April 1, 2013 6:41:44 AM UTC+1, rchavik wrote: >> >> >> On Thursday, March 28, 2013 4:57:38 PM UTC+7, b...@articad.cc wrote: >> Security features like this that cause issues with basic flow, should be OFF >> by default. CakePHP is it's own worst enemy for leaving it in. >> >> >> Why do you think CakePHP turns SecurityComponent on by default? >> >> -- >> Like Us on FaceBook https://www.facebook.com/CakePHP >> Find us on Twitter http://twitter.com/CakePHP >> >> --- >> You received this message because you are subscribed to the Google Groups >> "CakePHP" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cake-php+u...@googlegroups.com. >> To post to this group, send email to cake...@googlegroups.com. >> Visit this group at http://groups.google.com/group/cake-php?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > > -- > Like Us on FaceBook https://www.facebook.com/CakePHP > Find us on Twitter http://twitter.com/CakePHP > > --- > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cake-php+unsubscr...@googlegroups.com. > To post to this group, send email to cake-php@googlegroups.com. > Visit this group at http://groups.google.com/group/cake-php?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
