zen of coding

Clearing up some confusion regarding the Security component

In the previous post, I’ve made a little “mistake” (if you wish to call it that) in the way I’ve setup the Security component…

So, here I’d like to shed some light on the way things really work.

This is the code I’ve been using in the past and…, I guess, didn’t fully investigate what exactly happens, when such setup is used:

class UsersController extends AppController {

   var $name = 'Users';
   var $components = array('Security');

   function beforeFilter() {
        $this->Security->requireAuth('add');
   }

   //the rest of your controller code....
  //....
}

First, Tarique Sani pointed out that $this->Security->requireAuth(‘add’);, is not really necessary to make the Security component produce the hash and verify against the one sent with the form data.
So we can really easily protect our forms by just including: var $components = array(‘Security’); and nothing else.

After that, Nate explained that “adding $this->Security->requireAuth(’add’); adds a different type of form security. By default (without calling any methods) the Security component will make forms generate a hash to ensure that they haven’t been tampered with. Adding requireAuth(), on the other hand, writes a random hash to the session, which also gets written into the form. On POST, these hashes are compared. This protects the form from CSRF attacks, and is the only type of protection that interferes with Ajax or multiple tabs.”

The issue with forms not working with multiple tabs (or AJAX calls) was brought up by Reen and Jonah, and while I thought it was a nice, extra security feature, it is understandable that for some people it might be a drawback.

Well, now we’re all, hopefully, on the same page… and once again Nate and cake save the day :)

  • holooli

    very useful, thank you all guys for this great explanation.

  • in order to make some rich forms developers need multiple tab or Ajax. I struggled in some of my project exactly because of this. Is there any solution for this except to remove security especially for these forms? :)

  • @Nik Chankov

    Have you tried it without $this->Security->requireAuth(’add’); as Nate suggested?

  • @holooli

    Glad it helped ;)

  • I haven’t, so far I am using only

    var $components = array('Security');

    so far. so I can presume that requireAuth is removed :)

    Right now I need to build an Ajax form with dynamic number of fields. :( Let’s see what will pop out.

  • chuck

    Was anyone able to figure out how to use ajax and still have a secure form?

  • lucas

    Hey tek, Great post! Just a thing: been testing with and without $this->Security->requireAuth(‘add’);

    Without it the session already has a _Token.

    With it I can see no difference.

    Can you tell me an example that requireAuth does make a difference?

    Thanks

  • @lucas

    I haven’t done extensive testing with or without, for my purposes it made no difference. I’m just going based on what Nate had explained here.
    If you do find out, please share ;)

%d bloggers like this: