Maybe this will help: http://bakery.cakephp.org/articles/view/encrypting-urls
On Jan 1, 11:54 am, anka wrote:
> Hi @all,
>
> I have a (almost) simple question! Is it possible to make all cake php
> REST URLs unreadable? What I mean is, that a given REST URL like ".../
> user/delete/10" is very si
Hi again,
I am open to learn, so please tell me, whats the benefit of url
obscurity if not protecting against CSRF. A large german social
network uses that to protect against CSRF - though they do not use
UUIDs. Just links like domain.tld/long_random_looking_stuff_here, it
works against mining too
well
the UUIDs do help for his problem of "being able to guess" the url
i like UUIDs as you dont tell how many items have been added
(this can be important in some cases)
but of course it has nothing to do with CSRF
delele should NEVER be done by a GET-Request anyway
GET never alters the database
Well using UUIDs would result into /users/view/LONG-UU-ID-HERE
Which would not resolve Cross Site Request Forgery.
Use SecurityComponent and use form buttons that use method = post.
That way "destructive" links get caught if no form security token was
found.
I do it like this:
http://github.com/i
just use UUIDs
that "feature" comes with it automatically
On 3 Jan., 08:41, Walther wrote:
> Not really possible afaik.
>
> But, security through obscurity is not the solution. You should rather
> spend the time writing code that will make sure that the user/referer
> has permissions to perform t
Not really possible afaik.
But, security through obscurity is not the solution. You should rather
spend the time writing code that will make sure that the user/referer
has permissions to perform that action.
On Jan 1, 9:54 pm, anka wrote:
> Hi @all,
>
> I have a (almost) simple question! Is it p
Hi @all,
I have a (almost) simple question! Is it possible to make all cake php
REST URLs unreadable? What I mean is, that a given REST URL like ".../
user/delete/10" is very simple to read for a human and it is very
simple to guess that I can call this URL with any ID i want. So it
would be very