You CAN... but it is painful to say the least. Since you can't have your cake and eat it ;) your best bet is to look inside the Security Component to see what parts you want to use and then put that into your own component, extend the core component or something like that. You can also look at the Security class but it does not offer any turn-key solutions for you.
At the risk of being misinterpreted, I am tempted to say that you should not care where requests comes from. Either a request is a "public" request like /posts/display/123 or a protected action like / posts/delete/123. Where the request comes from has little relevance in the first case. In the second case it really has little relevance too since you will be much more concerned about a valid session identifying an authorized user, right? If your security model needs to include "has been posted from exactly my form on my page" then ajax should not be used for those requests. IMHO. /Martin On Oct 1, 11:05 pm, "Dave Maharaj :: WidePixels.com" <[email protected]> wrote: > But no good for AJAX. > > I have AJAX forms in my app so I cant use the security component. > > Can I? I know it wont work for AJAX submitted forms. I was just curious. > > Dave > > > > -----Original Message----- > From: Martin Westin [mailto:[email protected]] > Sent: October-01-09 5:45 PM > To: CakePHP > Subject: Re: Where request comes from? > > The Security Component does this kind of thing for you. For example, it will > embed a hash value into the form which is a checksum of the form. If a field > is missing or added it will be captured. If a hidden value is modified this > will also be captured. Also sessions will be more secure and a lot harder to > hijack since the session id is replaced for each request. > > And a buch more stuff. > > /Martin > > On Oct 1, 9:36 pm, Bert Van den Brande <[email protected]> wrote: > > I believe the FormHelper has some 'secure' stuff available for this > > ... best to consult the documentation ... > > > On Thu, Oct 1, 2009 at 8:50 PM, Dave Maharaj :: WidePixels.com < > > > [email protected]> wrote: > > > Is there a way to determine / ensure that any requested action > > > comes from the server? > > > > I mean more towards the aspect of forms. That when a form is > > > submitted the request is coming from the site and not someone who > > > made a form and trying to submit it to your site. > > > > Just curious > > > > Thanks, > > > > Dave --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
