我正在尝试使用安全组件以避免CSRF攻击,如果我使用formHelper仅使用postLink创建故障单,则会失败:
<?php echo $this->Form->postLink(__('Delete'), array('action' => 'delete', $user['User']['id']), array('class' => 'button mini'), __('Are you sure?', $user['User']['id'])); ?>
我不确定这是否可行,或者CakePHP只允许使用formHelper的create()和end()方法来使用此功能。
CakePHP documentation只表示使用formHel是必须的,但它没有指定更多。
答案 0 :(得分:2)
如果启用了安全组件并且对所有表单使用FormHelper方法,则不必担心这一点。您也不必配置任何东西。它开箱即用。
对于CSRF,您可以使用以下选项:
property SecurityComponent::$csrfCheck
Whether to use CSRF protected forms. Set to false to disable CSRF protection on forms.
property SecurityComponent::$csrfExpires
The duration from when a CSRF token is created that it will expire on. Each form/page request will generate a new token that can only be submitted once unless it expires. Can be any value compatible with strtotime(). The default is +30 minutes.
property SecurityComponent::$csrfUseOnce
Controls whether or not CSRF tokens are use and burn. Set to false to not generate new tokens on each request. One token will be reused until it expires. This reduces the chances of users getting invalid requests because of token consumption. It has the side effect of making CSRF less secure, as tokens are reusable.
如果你打开了所有内容,你应该在表单的html中看到CSRF令牌。您可以设置任何您喜欢的附加选项,但它几乎可以为您开箱即用。