SecurityComponent is good for protecting against CSRF attacks, but when I encounter a black hole while debugging an app, I want to know why. When SecurityComponent black holes a request, it's only capable of telling you one thing: you sent a bad request. That's good for production--you want attackers to have as little information as possible--but it's frustrating for developers who are debugging their code.
I think it would be helpful if there were an option to have SecurityComponent and FormHelper log the unserialized field lists they use to produce token hashes. My idea is to create a security.log in tmp/logs with entries like: * [Time and Request URI] - Form field hash [hash] based on [field list] * [Time and Request URI] - Request field hash [hash] based on [field list] * [Time and Request URI] - Request field hash [hash] does not match Form field hash [hash] Because it's intended for debugging specific black holes, I think such logging should be a discrete configuration option for SecurityComponent. Developers would enable it only when they need to work out why a specific request is being black holed. Does anyone else think this would be helpful? Are there good reasons to avoid such an approach? I've hacked my own SecurityComponent and FormHelper forks to do this, but wanted the community's opinion on the idea before cleaning it up and submitting a patch/pull request. Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
