CakePHP

Security issue in CakePHP code documentation

Submitted by Amir Shevat on Thu, 03/04/2010 - 19:37

I have been using CakePHP for a long time now and enjoy every second. It provides a productive, easy to use and well document platform for PHP application. The key advantages for me are – transparent OR mapping, a strong Model View Controller framework, and tons of extra utilities that make your life better.

I have came across a possible security issue in one of cakePHP code examples. This section of code is responsible to authorize or un-authorize clients access to a certain action (MVC flow)

<?php
    function isAuthorized() {
        if ($this->action == 'delete') {
            if ($this->Auth->user('role') == 'admin') {
                return true;
            } else {
                return false;
            }
        }

        return true;
    }
?>

The major security rule this code is breaking is – never ever have 'return true' as a default for an authorization method.

  • Amir Shevat's blog
  • 5 comments
  • Read more

CakeOTP 1.0 - Secure, Expirable, Table-less One Time Password for CakePHP Released

Submitted by Amir Shevat on Thu, 02/11/2010 - 03:34

CakeOTP is a secure, table-less and expirable implementation of One Time Password for the popular CakePHP development framework.

A one-time password (OTP) is a password that is only valid for a single login session or transaction. It is commonly used in the internet for registration and password reminder process in which OTPs are provides to the user in a form of a link that the user uses to access in order to create/reset his password.

The problem is that most one-time password implementation involve maintaining additional database tables and batch process that handle the persistence and expire date of the one time password. This adds complexity and reduces performance.

CakeOTP is a simple and clean implementation of one time password. It reduces complexity by removing the redundant SQL calls and DB batch maintenance while still keeping the one time password secure and expirable.

Download this release here.

Checkout the Online Demo, project page and getting started page.

  • Amir Shevat's blog
  • Add new comment
  • Read more

CakeOTP 0.1 beta release - One Time Password Reference Implementation for CakePHP

Submitted by Amir Shevat on Fri, 01/22/2010 - 04:05


I have started to implement the algorithm for tableless, secure One time password.

Here is a link to the Demo, and here is a link to the beta release.

The only thing you need to do other then the regular cakePHP setup is to create a user table (used by the CakePHP Auth component):

  • Amir Shevat's blog
  • Add new comment
  • Read more
Powered by Drupal, an open source content management system
Syndicate content