Well you can use my ajax handler, it wraps the security component so it works with AJAX calls.
http://www.milesj.me/resources/script/ajax-handler-component On Oct 2, 7:12 am, Martin Westin <[email protected]> wrote: > You CAN... but it is painful to say the least. > > Since you can't have your cake and eat it ;) your best bet is to look > inside the Security Component to see what parts you want to use and > then put that into your own component, extend the core component or > something like that. You can also look at the Security class but it > does not offer any turn-key solutions for you. > > At the risk of being misinterpreted, I am tempted to say that you > should not care where requests comes from. Either a request is a > "public" request like /posts/display/123 or a protected action like / > posts/delete/123. Where the request comes from has little relevance in > the first case. In the second case it really has little relevance too > since you will be much more concerned about a valid session > identifying an authorized user, right? > > If your security model needs to include "has been posted from exactly > my form on my page" then ajax should not be used for those requests. > IMHO. > > /Martin > > On Oct 1, 11:05 pm, "Dave Maharaj :: WidePixels.com" > > <[email protected]> wrote: > > But no good for AJAX. > > > I have AJAX forms in my app so I cant use the security component. > > > Can I? I know it wont work for AJAX submitted forms. I was just curious. > > > Dave > > > -----Original Message----- > > From: Martin Westin [mailto:[email protected]] > > Sent: October-01-09 5:45 PM > > To: CakePHP > > Subject: Re: Where request comes from? > > > The Security Component does this kind of thing for you. For example, it will > > embed a hash value into the form which is a checksum of the form. If a field > > is missing or added it will be captured. If a hidden value is modified this > > will also be captured. Also sessions will be more secure and a lot harder to > > hijack since the session id is replaced for each request. > > > And a buch more stuff. > > > /Martin > > > On Oct 1, 9:36 pm, Bert Van den Brande <[email protected]> wrote: > > > I believe the FormHelper has some 'secure' stuff available for this > > > ... best to consult the documentation ... > > > > On Thu, Oct 1, 2009 at 8:50 PM, Dave Maharaj :: WidePixels.com < > > > > [email protected]> wrote: > > > > Is there a way to determine / ensure that any requested action > > > > comes from the server? > > > > > I mean more towards the aspect of forms. That when a form is > > > > submitted the request is coming from the site and not someone who > > > > made a form and trying to submit it to your site. > > > > > Just curious > > > > > Thanks, > > > > > Dave --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
