doujichan1399 2013-09-08 19:16
浏览 35
已采纳

在CakePHP 2.3中,$ this-> Session-> read('Auth.User.field')是否安全?

I've been working with cakePHP 2.3 for little while now and i've seen a lot of people using $this->Session->read('Auth.User.id'), especially in views. I'm however wondering how secure that is. Should you not create in the AppController something like

   function beforeRender() {

    if(!empty($this->Auth->user())) {
        $this->set('authUser',$this->Auth->user());
    }
   }

to check the user in your views? I can't find any clarification about this in the manual or elsewhere. Is Session secure enough to be counted on?

  • 写回答

1条回答 默认 最新

  • dqusbxh44823 2013-09-08 20:01
    关注

    Well, depending on the type of authentication, AuthComponent::user() (it's a static method in Cake 2.x btw) reads the value from the session anyways (in case the static user cache is empty). So, in case the user would be able to modify the session value that holds the ID, both of these methods would be compromised.

    Nonetheless you'd better pass the value to the view from the controller, the view doesn't know about the proper key as it's defined on the Auth component, also the Auth component implementation might change causing the view not to be able to access the value like this anymore at all.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 Llama如何调用shell或者Python
  • ¥20 谁能帮我挨个解读这个php语言编的代码什么意思?
  • ¥15 win10权限管理,限制普通用户使用删除功能
  • ¥15 minnio内存占用过大,内存没被回收(Windows环境)
  • ¥65 抖音咸鱼付款链接转码支付宝
  • ¥15 ubuntu22.04上安装ursim-3.15.8.106339遇到的问题
  • ¥15 blast算法(相关搜索:数据库)
  • ¥15 请问有人会紧聚焦相关的matlab知识嘛?
  • ¥15 网络通信安全解决方案
  • ¥50 yalmip+Gurobi