No, I tested, handled the errors and realised that if either (i) I hadn't done my job properly or (ii) the people trying to break my site are cleverer than me then I'm better off black holing in some cases rather than have the client chase me because someone stole something from his site.
Jeremy Burns Class Outfit http://www.classoutfit.com On 2 Apr 2013, at 16:40:59, [email protected] wrote: > > So you didn't turn it off? > > So when people are browsing the site they are constantly hassled with "you > have been blackholed"?? > > On Tuesday, April 2, 2013 4:12:49 PM UTC+1, Jeremy Burns wrote: > I disagree, I'm afraid. The Security component is there to save your 4r53; so > by default it is tight - you have to loosen it if you want to. If it were the > other way around you'd deploy it thinking you were safe and then find out you > weren't (and would shout louder). I too had a learning curve with the > Security component but in the end it does what it say it will on the tin. The > guide is also useful if you take the tine to read it. > > Jeremy Burns > Class Outfit > > http://www.classoutfit.com > > On 2 Apr 2013, at 16:06:35, [email protected] wrote: > >> >> True, but should it be behaving so badly on installation. Noone really knows >> what "black holed" means, it sounds a lot worse than it actually is. Its >> confusing and somewhat terrifying for it to appear off the bat after a fresh >> install. >> >> csrfUseOnce should be false by default. That's all I'm saying. >> >> On Tuesday, April 2, 2013 3:58:37 PM UTC+1, Jeremy Burns wrote: >> When setting up the Security component there are settings that can help >> (although I am not entirely certain what risks - if any - these introduce): >> >> 'Security' => array( >> 'csrfUseOnce' => false, >> 'unlockedActions' => array( >> 'your_action' >> ) >> ) >> >> Setting csrfUseOnce to false means it will reuse the existing tokens, which >> in turn means you can refresh the page without a black hole. >> >> The unlockedActions setting is clearly more risky as it effectively disables >> the component for that action - but in some cases it can be useful. >> >> Jeremy Burns >> Class Outfit >> >> http://www.classoutfit.com >> >> On 2 Apr 2013, at 15:41:59, [email protected] wrote: >> >>> >>> To save people form themselves? To save the world? I really don't care. >>> >>> Bottom line: That blackholed request thing is a usability nightmare. You >>> merely have to reload the page >>> >>> On Monday, April 1, 2013 6:41:44 AM UTC+1, rchavik wrote: >>> >>> >>> On Thursday, March 28, 2013 4:57:38 PM UTC+7, [email protected] wrote: >>> Security features like this that cause issues with basic flow, should be >>> OFF by default. CakePHP is it's own worst enemy for leaving it in. >>> >>> >>> Why do you think CakePHP turns SecurityComponent on by default? >>> >>> -- >>> Like Us on FaceBook https://www.facebook.com/CakePHP >>> Find us on Twitter http://twitter.com/CakePHP >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "CakePHP" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at http://groups.google.com/group/cake-php?hl=en. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >> >> >> -- >> Like Us on FaceBook https://www.facebook.com/CakePHP >> Find us on Twitter http://twitter.com/CakePHP >> >> --- >> You received this message because you are subscribed to the Google Groups >> "CakePHP" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/cake-php?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > > -- > Like Us on FaceBook https://www.facebook.com/CakePHP > Find us on Twitter http://twitter.com/CakePHP > > --- > You received this message because you are subscribed to the Google Groups > "CakePHP" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/cake-php?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
