On Fri, Jul 16, 2010 at 9:30 AM, jdbartlett <cont...@jdbartlett.com> wrote: > SecurityComponent is good for protecting against CSRF attacks, but > when I encounter a black hole while debugging an app, I want to know > why. When SecurityComponent black holes a request, it's only capable > of telling you one thing: you sent a bad request. That's good for > production--you want attackers to have as little information as > possible--but it's frustrating for developers who are debugging their > code. > > I think it would be helpful if there were an option to have > SecurityComponent and FormHelper log the unserialized field lists they > use to produce token hashes. > > My idea is to create a security.log in tmp/logs with entries like: > * [Time and Request URI] - Form field hash [hash] based on [field > list] > * [Time and Request URI] - Request field hash [hash] based on [field > list] > * [Time and Request URI] - Request field hash [hash] does not match > Form field hash [hash] > > Because it's intended for debugging specific black holes, I think such > logging should be a discrete configuration option for > SecurityComponent. Developers would enable it only when they need to > work out why a specific request is being black holed. > > Does anyone else think this would be helpful? Are there good reasons > to avoid such an approach? I've hacked my own SecurityComponent and > FormHelper forks to do this, but wanted the community's opinion on the > idea before cleaning it up and submitting a patch/pull request.
One vote from me. That seems worthwhile. Perhaps a good approach would be to create a plugin. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
