Making Security Component work in CakePHP_问答_开发者

Making Security Component work in CakePHP

开发者 https://www.devze.com 2023-03-29 13:18 出处：网络

Here\'s my situation. I\'ve heard that the requireAuth() function of Security component generates a new key for every form once the page is reloaded. But i\'ve tried it in every single controller in m

相关专题：cakephp css php

Here's my situation. I've heard that the requireAuth() function of Security component generates a new key for every form once the page is reloaded. But i've tried it in every single controller in my application by using the below code

function beforeFilter()
{
...
$this->Security->requireAuth();
}

But still none of the forms in my application generates the key. I've even submitted the form, still the key remains the same. My Security.level开发者_开发知识库 is set to high in core.php

Edited answer

Looking at the source code for the FormHelper, as far as the token being the same, if $this->params['_Token'] is set, it uses $this->params['_Token']['key'] as the hidden fields value. The hidden fields id on the other hand is randomly generated not the token key.

When using the $this->Form->end() method, if $this->params['_Token'] is set, the fields are run through a method called secure(). This essentially serializes the form fields and runs them through Security::hash() which creates an SHA1 hash of the serialized fields. If the form has been tampered with this hash will be different from the original token, thus Cake knows the form has been tampered with.

$this->Security->requireAuth() has nothing to do with your forms it sets the action to require SSL.