Hi Martin. Thanks for your response! I actually know how that kind of defense works (hidden token generated in the form that must match the token in the session). I already have programmed that manually.
Right, I am interested in using it but with AJAX requests inside the form that refresh some of the inputs in it. I've seen that other people has had similar issues with this: https://trac.cakephp.org/ticket/2773 https://trac.cakephp.org/ticket/5218 I would really like to have CSRF defense in my application. I hesitate whether I send a bug report or not, because other times I've done it I needed to argue about it... and sometimes it takes a lot of effort (specially for me since my mother tongue is another than English). Best regards, B. On 21 oct, 02:11, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > I don't use much ajax in my current work. > I do use Security Component, though. What might show you the right > direction is how Security works on forms to prevent outside requests. > > Just by including the component in your controller Cake will add a > hash to your form. If the form is posted without the correct hash, it > is rejected. This can probably get a bit messy if your ajax form is > not "refreshed" with a new hash before each post. Your ajax posts > might be rejected for this reason. > > Creating a simple "normal" form using Form helper and looking at the > html-source will show you what happens when Security is enabled. > > hope that helps. > /Martin > > On Oct 21, 1:59 am, Braulio <[EMAIL PROTECTED]> wrote: > > > Hello... > > > I have added this to my app_controller: > > > var $components = array('Auth', 'Security'); > > > Then in one of my controllers I have: > > > $this->Security->requireAuth('add', 'add_streams'); > > $this->Security->allowedActions = array('ajax_cantons', > > 'ajax_districts'); > > > The actions ajax_cantons and ajax_districts are called from the add > > action with AJAX. I do that to have some sort of dynamic population > > of cantons and districts according to a province. > > > However, whenever security is enabled, AJAX population does not work. > > I have added too allowedActions, but it did not work. Has someone > > experience with this? > > > Regards, > > > B. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
