Re: Security and Ajax
Because the keys are 'use once', so when submitted by ajax become invalid. See this page for a solution: http://book.cakephp.org/2.0/en/core-libraries/components/security-component.html#SecurityComponent::$csrfUseOnce Jeremy Burns Class Outfit http://www.classoutfit.com On 8 Aug 2013, at 20:53, "Advantage+" wrote: > I know forms submitted via ajax that the security component does not work. > (Checking for edits / tampering) > > What is the reason for this? I understand if you add fields dynamically why > it would not work because of the hashed fields when the form is rendered. > > But if you are simply sending a form as coded $this->Form as standard > procedure, no edits or fields added why would it not act the same? > The exact data is being sent as if it was submitted http. No? > > Just curious. > > Thanks, > > Dave > > > -- > Like Us on FaceBook https://www.facebook.com/CakePHP > Find us on Twitter http://twitter.com/CakePHP > > --- > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cake-php+unsubscr...@googlegroups.com. > To post to this group, send email to cake-php@googlegroups.com. > Visit this group at http://groups.google.com/group/cake-php. > For more options, visit https://groups.google.com/groups/opt_out. > > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Security and Ajax
I know forms submitted via ajax that the security component does not work. (Checking for edits / tampering) What is the reason for this? I understand if you add fields dynamically why it would not work because of the hashed fields when the form is rendered. But if you are simply sending a form as coded $this->Form as standard procedure, no edits or fields added why would it not act the same? The exact data is being sent as if it was submitted http. No? Just curious. Thanks, Dave -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/groups/opt_out.
Re: Security and Ajax
An Ajax request is basically the same as any other request as far as the server is concerned, however, you can use 2 Cake components (RequestHandler and Security) to detect the type of request and optionally restrict access to it. Look them up at api.cakephp.org --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---
Re: Security and Ajax
Controller methods that you do not want executed should have an *underscore* (like any private method) ie: function _myPrivateMethod() --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---
Security and Ajax
How does Cake php prevent unauthorized execution of actions? e.g. i have many functions in my controller that dont neccessarily render outputs and i dont want them accessible from a simple url command, e.g. http://localhost/users/deleteAllUsers/ Also, how does ajax prevent against such requests? Maybe as solution, you could prefix executable actions with a prefix, e.g. executeActionName?? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~--~~~~--~~--~--~---