I have been digging into using the requireAuth method of the security component and it's current implementation will, I believe, cause us problems, although I am new to cake so please go easy on me if I haven't understood it properly.
One of the things that is confusing me and I believe will cause us problems is the fact that a new token is generated for each request. I am probably missing something, but this token seems to be used to prevent CSRF attacks, am therefore confused as to why we need a new one for each request. One is probably sufficient for the session. The problem that I think the current approach will cause is that we use a fair amount of Ajax. What this means is that we may have delivered two separate forms to a single browser screen and those forms could be submitted in any order. If the first form delivered to the browser is submitted back first then the token doesn't match, as the second form delivered generated a new one and stored it in the session. I guess my core question is why can't the token be generated just once for the session, better yet why can't it just be the session id or secure hash of it which is just as secure as the double cookie submit trick described here http://getahead.org/blog/joe/2007/01/01/csrf_attacks_or_how_to_avoid_exposing_your_gmail_contacts.html. Thanks, Rob --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
