Re: Security Question
On Wed, Mar 13, 2013 at 10:19 PM, Advantage+ wrote: > When I logout of my site it redirects me to /login. > > If I then hit login (nothing entered in user / pass) I get black-holed. > > The requested address '/login' was not found on this server. > > > > Why is that? It should just show the errors "Invalid User / Pass" Or > validation errors. Not black hole the whole thing. Is debug set to 0? If so, cake throws a 404 on error. There may be something wrong in your code. Set it to 2 and see if it displays an error msg. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: Security question
Welcome. You might want to look at this plugin on github too, it might save you some time. https://github.com/CakeDC/users -- Larry E. Masters On Tue, Jan 25, 2011 at 3:32 PM, Dave Maharaj wrote: > Thanks. That’s all I needed to know J > > > > -- > Our newest site for the community: CakePHP Video Tutorials > http://tv.cakephp.org > Check out the new CakePHP Questions site http://ask.cakephp.org and help > others with their CakePHP related questions. > > > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.comFor > more options, visit this group at > http://groups.google.com/group/cake-php > -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
RE: Security question
Thanks. That's all I needed to know J -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security question
There is no benefit to doing this. -- Larry E. Masters On Tue, Jan 25, 2011 at 3:23 PM, Dave Maharaj wrote: > I do not think if it is or is not…hence the question. > > > > *From:* Larry E. Masters [mailto:php...@gmail.com] > *Sent:* Tuesday, January 25, 2011 5:49 PM > *To:* cake-php@googlegroups.com > *Subject:* Re: Security question > > > > Why do you think this be more "secure"? > > > > -- > > Larry E. Masters > > > > On Tue, Jan 25, 2011 at 3:13 PM, Dave Maharaj wrote: > > Security as in secure not the Security component to not confuse anyone. > > > > Is it better / more secure / better practise to have a table with > “password” information only ,with fields like user_id, reset_token, > question, answer, password, email, attempts and keep plain text (firstname, > lastname, so on) in a User table? > > > > Just curious. > > > > Thanks > > > > Dave > > -- > Our newest site for the community: CakePHP Video Tutorials > http://tv.cakephp.org > Check out the new CakePHP Questions site http://ask.cakephp.org and help > others with their CakePHP related questions. > > > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.comFor > more options, visit this group at > http://groups.google.com/group/cake-php > > > > -- > Our newest site for the community: CakePHP Video Tutorials > http://tv.cakephp.org > Check out the new CakePHP Questions site http://ask.cakephp.org and help > others with their CakePHP related questions. > > > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.comFor > more options, visit this group at > http://groups.google.com/group/cake-php > > -- > Our newest site for the community: CakePHP Video Tutorials > http://tv.cakephp.org > Check out the new CakePHP Questions site http://ask.cakephp.org and help > others with their CakePHP related questions. > > > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.comFor > more options, visit this group at > http://groups.google.com/group/cake-php > -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
RE: Security question
I do not think if it is or is not.hence the question. From: Larry E. Masters [mailto:php...@gmail.com] Sent: Tuesday, January 25, 2011 5:49 PM To: cake-php@googlegroups.com Subject: Re: Security question Why do you think this be more "secure"? -- Larry E. Masters On Tue, Jan 25, 2011 at 3:13 PM, Dave Maharaj wrote: Security as in secure not the Security component to not confuse anyone. Is it better / more secure / better practise to have a table with "password" information only ,with fields like user_id, reset_token, question, answer, password, email, attempts and keep plain text (firstname, lastname, so on) in a User table? Just curious. Thanks Dave -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com <mailto:cake-php%2bunsubscr...@googlegroups.com> For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Security question
Why do you think this be more "secure"? -- Larry E. Masters On Tue, Jan 25, 2011 at 3:13 PM, Dave Maharaj wrote: > Security as in secure not the Security component to not confuse anyone. > > > > Is it better / more secure / better practise to have a table with > “password” information only ,with fields like user_id, reset_token, > question, answer, password, email, attempts and keep plain text (firstname, > lastname, so on) in a User table? > > > > Just curious. > > > > Thanks > > > > Dave > > -- > Our newest site for the community: CakePHP Video Tutorials > http://tv.cakephp.org > Check out the new CakePHP Questions site http://ask.cakephp.org and help > others with their CakePHP related questions. > > > To unsubscribe from this group, send email to > cake-php+unsubscr...@googlegroups.comFor > more options, visit this group at > http://groups.google.com/group/cake-php > -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
RE: Security Question
Thanks for your insight. Dave -Original Message- From: Miles J [mailto:mileswjohn...@gmail.com] Sent: August-06-09 6:04 PM To: CakePHP Subject: Re: Security Question I dont see anything wrong with it, its pretty much a typical action setup. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security Question
I dont see anything wrong with it, its pretty much a typical action setup. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security question
Hi Dave, In terms of security, my opinion is that your concern should be with how the data is protected rather than the profiles a person can have. I was responsible for the architecture of a major real estate application and we implemented it in a similar way that you mentioned. Each user had "profiles" which each one representing either property, sale, or rental. Each type of profile had their own table, with a one-to-many relationship from the user. Hope this helps, Richard On Sun, Jul 12, 2009 at 4:27 PM, Dave Maharaj :: WidePixels.com < d...@widepixels.com> wrote: > What would be the security holes to watch for in a situation like this > > Everyone who registers is a user > > User is then broken up into one of 2 groups depending on what role they > select (think of a real estate site where you maybe looking for a home or > selling so your either a buyer or seller) > > There is nothing to really prevent a user from signing up as each as each > side of the site is specific for the role they select and no interaction > between the 2 really but once you logged in you cant not access the > registration form again so sure you can logout and register again but get a > new user id so i really do not see any security issues with the idea. > > But the user hasOne sellerProfile > and user hasOne buyerProfile seems to worry me somewhat because the user > can only have 1 or the other and not both. I split the profiles simply > because the information is so different for each side. > > Are there issues with this approach? > > Dave > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security question
If you're not modifying form fields with javascript, AJAX form
submissions should have no impact on the use of the Security component
and it's ability to prevent CSRF attacks.
-j.
On May 20, 11:22 pm, "Dave Maharaj :: WidePixels.com"
wrote:
> I am trying to break my application.
>
> How can I tell if a logged in user is trying to do the same by using firebug
> and adding a form to a page?
> I don't want to just sanitize and all of that...i want to know and ban that
> specific user. What would be the best approach to determine if a user is
> trying to submit data that should not be submitted.
> For example a page that has no form and someone adds a form and tries to
> submit could I easily check $this->data because there should be none?
>
> if(!empty($this->data))
> {
> ...banuser()..
>
> }
>
> Is there a better method or something already around that can help. Most of
> my requests are AJAX so for pages with forms the Security component is no
> good for me.
> Ideas? Suggestions?
>
> Thanks,
>
> Dave
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security question: AuthComponent and passwords
in rc3 i've big problem witch auth component ;<
On 12 Paź, 19:00, "Bernhard J. M. Grün"
<[EMAIL PROTECTED]> wrote:
> Hi!
>
> Thanks for your response.
> I already know that Security::hash() is used to generate the hash. But the
> problem is that the hash is insecure (for passwords) in my eyes. The reason
> is that two passwords encrypt to the same hash (given the secret salt is the
> same which is the case).
>
> -- Bernhard J. M. Grün
>
> 2008/10/12 [EMAIL PROTECTED] <[EMAIL PROTECTED]>
>
>
>
> >http://api.cakephp.org/class_auth_component.html#216d4deefcd62ffeac5d...
>
> > On Oct 11, 5:24 am, "Bernhard J. M. Grün"
> > <[EMAIL PROTECTED]> wrote:
> > > Hi!
>
> > > Is it correct that the passwords created with the help of the
> > AuthComponent
> > > are not public hashed (i.e. only secret hashed)? At least in my test app
> > it
> > > seems to be like that.
> > > If so this is a major security hole.
> > > Example:
> > > User Alice has password "test": 2dd357c503a6812e276096a306cca02852cc1e4f
> > > User Bob has the same password: 2dd357c503a6812e276096a306cca02852cc1e4f
> > > Now hacker Charlie becomes access to the database. He sees that both
> > > passwords are identical. So it is much easier for him to break in. If
> > user
> > > Alice for example uses her password for other websites and hacker Charlie
> > > gets that password also user Bob's account is lost.
> > > IMHO there is a reason why Unix, *BSD, Linux, OSX, ... uses a public salt
> > > for their passwords. Maybe CakePHP should do the same.
> > > So the correct way for passwords is:
> > > crypt(crypt('password', 'secretsalt'), 'publicsalt') where publicsalt is
> > > concatenated at front of the crypted password.
>
> > > -- Bernhard J. M. Grün
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security question: AuthComponent and passwords
Hi!
Thanks for your response.
I already know that Security::hash() is used to generate the hash. But the
problem is that the hash is insecure (for passwords) in my eyes. The reason
is that two passwords encrypt to the same hash (given the secret salt is the
same which is the case).
-- Bernhard J. M. Grün
2008/10/12 [EMAIL PROTECTED] <[EMAIL PROTECTED]>
>
>
> http://api.cakephp.org/class_auth_component.html#216d4deefcd62ffeac5d9334b9cc2614
>
> On Oct 11, 5:24 am, "Bernhard J. M. Grün"
> <[EMAIL PROTECTED]> wrote:
> > Hi!
> >
> > Is it correct that the passwords created with the help of the
> AuthComponent
> > are not public hashed (i.e. only secret hashed)? At least in my test app
> it
> > seems to be like that.
> > If so this is a major security hole.
> > Example:
> > User Alice has password "test": 2dd357c503a6812e276096a306cca02852cc1e4f
> > User Bob has the same password: 2dd357c503a6812e276096a306cca02852cc1e4f
> > Now hacker Charlie becomes access to the database. He sees that both
> > passwords are identical. So it is much easier for him to break in. If
> user
> > Alice for example uses her password for other websites and hacker Charlie
> > gets that password also user Bob's account is lost.
> > IMHO there is a reason why Unix, *BSD, Linux, OSX, ... uses a public salt
> > for their passwords. Maybe CakePHP should do the same.
> > So the correct way for passwords is:
> > crypt(crypt('password', 'secretsalt'), 'publicsalt') where publicsalt is
> > concatenated at front of the crypted password.
> >
> > -- Bernhard J. M. Grün
>
> >
>
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security question: AuthComponent and passwords
http://api.cakephp.org/class_auth_component.html#216d4deefcd62ffeac5d9334b9cc2614
On Oct 11, 5:24 am, "Bernhard J. M. Grün"
<[EMAIL PROTECTED]> wrote:
> Hi!
>
> Is it correct that the passwords created with the help of the AuthComponent
> are not public hashed (i.e. only secret hashed)? At least in my test app it
> seems to be like that.
> If so this is a major security hole.
> Example:
> User Alice has password "test": 2dd357c503a6812e276096a306cca02852cc1e4f
> User Bob has the same password: 2dd357c503a6812e276096a306cca02852cc1e4f
> Now hacker Charlie becomes access to the database. He sees that both
> passwords are identical. So it is much easier for him to break in. If user
> Alice for example uses her password for other websites and hacker Charlie
> gets that password also user Bob's account is lost.
> IMHO there is a reason why Unix, *BSD, Linux, OSX, ... uses a public salt
> for their passwords. Maybe CakePHP should do the same.
> So the correct way for passwords is:
> crypt(crypt('password', 'secretsalt'), 'publicsalt') where publicsalt is
> concatenated at front of the crypted password.
>
> -- Bernhard J. M. Grün
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---
Re: Security question
On 6/30/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > Hi there, > > A newbie question, so sorry if this is easy. I had a look through the > forum and didn't see the answer. > > I have an area on my app where the user votes by clicking on an > image. Via AJAX, this updates a DIV with stats elsewhere on the > page. The link looks like this: > > http://domain.com/competitions/vote/27 > > How do I prevent someone from voting by manually entering this URL? > Should I change the voting area to a form? I noticed there was a > security component on the forum but some folks weren't happy with it. > > I'm sure everyone's had a similar situation in their app. How did you > go about securing it? > > Cheers, > Wilson Maybe you can try isAjax method (please refer to CakeManual) I never use it, but I think it worth to try... :) -- Y!M id: riky.kurniawan LinkedIn: http://www.linkedin.com/in/rikykurniawan Friendster: http://www.friendster.com/rikyknwn Personal blog: http://riky.kurniawan.us --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Security question
You can indeed make a form, but a "post" can also be tricked. This thread shows some solutions about this, especially the GET with some hashing mD5: http://groups.google.com/group/cake-php/browse_thread/thread/76dfe9536d8a761e/2713f28a4995c203?lnk=gst&q=delete+get+method&rnum=10#2713f28a4995c203 On Jun 30, 5:25 pm, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > Hi there, > > A newbie question, so sorry if this is easy. I had a look through the > forum and didn't see the answer. > > I have an area on my app where the user votes by clicking on an > image. Via AJAX, this updates a DIV with stats elsewhere on the > page. The link looks like this: > > http://domain.com/competitions/vote/27 > > How do I prevent someone from voting by manually entering this URL? > Should I change the voting area to a form? I noticed there was a > security component on the forum but some folks weren't happy with it. > > I'm sure everyone's had a similar situation in their app. How did you > go about securing it? > > Cheers, > Wilson --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
