Making Security Component work in CakePHP
Here's my situation. I've heard that the requireAuth()
function of Security
component generates a new key for every form once the page is reloaded. But i've tried it in every single controller in my application by using the below code
function beforeFilter()
{
...
$this->Security->requireAuth();
}
But still none of the forms in my application generates the key. I've even submitted the form, still the key remains the same. My Security.level
开发者_开发知识库 is set to high
in core.php
Edited answer
Looking at the source code for the FormHelper, as far as the token being the same, if $this->params['_Token']
is set, it uses $this->params['_Token']['key']
as the hidden fields value. The hidden fields id
on the other hand is randomly generated not the token key.
When using the $this->Form->end()
method, if $this->params['_Token']
is set, the fields are run through a method called secure()
. This essentially serializes the form fields and runs them through Security::hash()
which creates an SHA1 hash of the serialized fields. If the form has been tampered with this hash will be different from the original token, thus Cake knows the form has been tampered with.
$this->Security->requireAuth()
has nothing to do with your forms it sets the action to require SSL.
精彩评论