CODEWITHSUNDEEP
formssecuritycakephp
VanBoch
VanBoch

Reputation: 297

Cakephp 2 security in forms

I have a question about the cakephp2 forms security. Let's assume that we have the Security Component enabled and have already build users authentication, permissions, and product management system.

We need to create an Offer Request feature, which allows users to ask for an offer for a specific product.

The user is logged in and clicks on "ask" and goes to /offer_requests/add/product_id

Scenario 1:

In the /Views/OfferRequests/add.ctp:

<?php 
echo $this->Form->create('OfferRequest');
echo $this->Form->input('user_id', 
                         array('value' => $this->Session->read('Auth.User.id'),
                               'type' => 'hidden' ));
echo $this->Form->input('product_id');
echo $this->Form->input('quantity');
echo $this->Form->end(__('Submit'));
?>

Scenario 2:

In the /Views/OfferRequests/add.ctp:

<?php 
echo $this->Form->create('OfferRequest');
echo $this->Form->input('product_id');
echo $this->Form->input('quantity');
echo $this->Form->end(__('Submit'));
?>

And in the OfferRequestsController add():

<?php
$this->request->data['OfferRequest']['user_id'] = $this->Session->read('Auth.User.id');
?>

My question is which scenario is more safe, for example against making false requests as other user. For scenario 1, does the Security Component allow manipulating input values through Firebug or some other software?

Upvotes: 4

Views: 1449

Answers (1)

jeremyharris
jeremyharris

Reputation: 7882

Yes, the security component adds automatic prevention of form tampering:

From the docs:

By using the Security Component you automatically get CSRF and form tampering protection. Hidden token fields will automatically be inserted into forms and checked by the Security component. Among other things, a form submission will not be accepted after a certain period of inactivity, which is controlled by the csrfExpires time.

As stated in the other answer, you can use the fieldsList option when saving your data instead. With the security component, however, you would be able to add the user_id as a hidden field (scenario 1) and not worry about its value being tampered with. This would prevent the necessity to set it in the controller (scenario 2).

Upvotes: 5

Related Questions