hypercubed wrote: > >From what I understand requireAuth adds a hidden field to the form that > is checked on submit. That wont help if the user/hacker copies the > HTML source of the form (including the hidden Auth hash) to a new HTML > file and submits it from the local machine.
Doesn't work that way. requireAuth does write a hidden value to your forms, but that value is compared to a value in the session when posted, and session data isn't available on the local machine. Also, the hash value is regenerated on every request, so trying to capture and reuse it is useless. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~----------~----~----~----~------~----~------~--~---
