doujichan1399 2013-09-08 19:16
浏览 35
已采纳

在CakePHP 2.3中,$ this-> Session-> read('Auth.User.field')是否安全?

I've been working with cakePHP 2.3 for little while now and i've seen a lot of people using $this->Session->read('Auth.User.id'), especially in views. I'm however wondering how secure that is. Should you not create in the AppController something like

   function beforeRender() {

    if(!empty($this->Auth->user())) {
        $this->set('authUser',$this->Auth->user());
    }
   }

to check the user in your views? I can't find any clarification about this in the manual or elsewhere. Is Session secure enough to be counted on?

  • 写回答

1条回答 默认 最新

  • dqusbxh44823 2013-09-08 20:01
    关注

    Well, depending on the type of authentication, AuthComponent::user() (it's a static method in Cake 2.x btw) reads the value from the session anyways (in case the static user cache is empty). So, in case the user would be able to modify the session value that holds the ID, both of these methods would be compromised.

    Nonetheless you'd better pass the value to the view from the controller, the view doesn't know about the proper key as it's defined on the Auth component, also the Auth component implementation might change causing the view not to be able to access the value like this anymore at all.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 素材场景中光线烘焙后灯光失效
  • ¥15 请教一下各位,为什么我这个没有实现模拟点击
  • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
  • ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 ubuntu子系统密码忘记
  • ¥15 保护模式-系统加载-段寄存器