So you didn't turn it off? So when people are browsing the site they are constantly hassled with "you have been blackholed"??
On Tuesday, April 2, 2013 4:12:49 PM UTC+1, Jeremy Burns wrote: > > I disagree, I'm afraid. The Security component is there to save your 4r53; > so by default it is tight - you have to loosen it if you want to. If it > were the other way around you'd deploy it thinking you were safe and then > find out you weren't (and would shout louder). I too had a learning curve > with the Security component but in the end it does what it say it will on > the tin. The guide is also useful if you take the tine to read it. > > Jeremy Burns > Class Outfit > > http://www.classoutfit.com > > On 2 Apr 2013, at 16:06:35, [email protected] <javascript:> wrote: > > > True, but should it be behaving so badly on installation. Noone really > knows what "black holed" means, it sounds a lot worse than it actually is. > Its confusing and somewhat terrifying for it to appear off the bat after a > fresh install. > > csrfUseOnce should be false by default. That's all I'm saying. > > On Tuesday, April 2, 2013 3:58:37 PM UTC+1, Jeremy Burns wrote: >> >> When setting up the Security component there are settings that can help >> (although I am not entirely certain what risks - if any - these introduce): >> >> 'Security' => array( >> 'csrfUseOnce' => false, >> 'unlockedActions' => array( >> 'your_action' >> ) >> ) >> >> Setting csrfUseOnce to false means it will reuse the existing tokens, >> which in turn means you can refresh the page without a black hole. >> >> The unlockedActions setting is clearly more risky as it effectively >> disables the component for that action - but in some cases it can be useful. >> >> Jeremy Burns >> Class Outfit >> >> http://www.classoutfit.com >> >> On 2 Apr 2013, at 15:41:59, [email protected] wrote: >> >> >> To save people form themselves? To save the world? I really don't care. >> >> Bottom line: That blackholed request thing is a usability nightmare. You >> merely have to reload the page >> >> On Monday, April 1, 2013 6:41:44 AM UTC+1, rchavik wrote: >>> >>> >>> >>> On Thursday, March 28, 2013 4:57:38 PM UTC+7, [email protected] wrote: >>>> >>>> Security features like this that cause issues with basic flow, should >>>> be OFF by default. CakePHP is it's own worst enemy for leaving it in. >>>> >>>> >>> Why do you think CakePHP turns SecurityComponent on by default? >>> >> >> -- >> Like Us on FaceBook https://www.facebook.com/CakePHP >> Find us on Twitter http://twitter.com/CakePHP >> >> --- >> You received this message because you are subscribed to the Google Groups >> "CakePHP" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/cake-php?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> > -- > Like Us on FaceBook https://www.facebook.com/CakePHP > Find us on Twitter http://twitter.com/CakePHP > > --- > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected]<javascript:> > . > Visit this group at http://groups.google.com/group/cake-php?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
