authentication: 1.1.3 & SecurityComponent yield "Bad Request".
When I have time later I will provide steps to reproduce the error more specifically. For now, I will say that in Cake 3.7.9 and Authentication plugin 1.1.3, using default configuration in SecurityComponent, I get a “Bad Request” on all form posts.
Downgrading to the 1.1.2 version of the plugin resolves it.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 18 (8 by maintainers)
Commits related to this issue
- Fix session rotation on each request The changes from #271 were not backported to 1.x and thus when authentication and SecurityComponent were combined every request would fail. Fixes #284 — committed to cakephp/authentication by markstory 5 years ago
- Fix Security component & session authenticator The session needs to be read before being renewed. Failing to do results in data from the previous request being lost when the id is rotated. Fixes #28... — committed to cakephp/authentication by markstory 5 years ago
- Fix Security component & session authenticator The session needs to be read before being renewed. Failing to do results in data from the previous request being lost when the id is rotated. Fixes #28... — committed to cakephp/authentication by markstory 5 years ago
- Unlock login action due to session renew after login Per discussion here: https://github.com/cakephp/authentication/issues/284 Since the session needs to be renewed upon login, the `SecurityCompon... — committed to groovenectar/users by groovenectar 5 years ago
- Unlock login action due to session renew after login Per discussion here: https://github.com/cakephp/authentication/issues/284 Since the session needs to be renewed upon login, the `SecurityCompon... — committed to groovenectar/users by groovenectar 5 years ago
Historically
SecurityComponentdid lot of security related stuff, for e.g. it handled CSRF protection too.Currently it only provides form tampering protection and enforcing use of
httpsfor specific URLs. The latter is pretty simple to achieve, so in 4.x we should probably deprecateSecurityComponentand move the form tampering projection code into a newFormTamperingProtectionComponent.@markstory I’ll do this tonight and let you know.
Thanks.
Thanks for jumping on this. I spent hours trying to figure this out.