doujichan1399
2013-09-08 19:16
浏览 34
已采纳

在CakePHP 2.3中,$ this-> Session-> read('Auth.User.field')是否安全?

I've been working with cakePHP 2.3 for little while now and i've seen a lot of people using $this->Session->read('Auth.User.id'), especially in views. I'm however wondering how secure that is. Should you not create in the AppController something like

   function beforeRender() {

    if(!empty($this->Auth->user())) {
        $this->set('authUser',$this->Auth->user());
    }
   }

to check the user in your views? I can't find any clarification about this in the manual or elsewhere. Is Session secure enough to be counted on?

  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dqusbxh44823 2013-09-08 20:01
    已采纳

    Well, depending on the type of authentication, AuthComponent::user() (it's a static method in Cake 2.x btw) reads the value from the session anyways (in case the static user cache is empty). So, in case the user would be able to modify the session value that holds the ID, both of these methods would be compromised.

    Nonetheless you'd better pass the value to the view from the controller, the view doesn't know about the proper key as it's defined on the Auth component, also the Auth component implementation might change causing the view not to be able to access the value like this anymore at all.

    打赏 评论