问题描述
我创建了一个简单的应用程序来在 CakePHP 4.2 中查找拼字游戏中的有效单词。它有多种形式,用户可以在其中输入一个单词(或随机排序的字母),并且应用程序会为该单词生成所有可能的字谜,o 只是告诉该单词是否有效。示例:
<?PHP
echo $this->Form->create();
echo $this->Form->control('letters',['label' => false,'encoding'=>'utf-8','div' => false,'class' => 'myClass','autofocus' => 'autofocus' ]);
echo $this->Form->button(__('Find words'));
echo $this->Form->end();
?>
在开发过程中一切正常,因此我按照说明书 (https://book.cakephp.org/4/en/deployment.html) 中包含的部署建议在生产服务器上试用了我的应用程序。我激活了 FormProtection 组件(我知道说明书建议使用安全组件,该组件已被弃用,而应使用 FormProtection)。我添加了“$this->loadComponent('FormProtection');”到我的 AppController.PHP 文件:
public function initialize(): void
{
parent::initialize();
$this->loadComponent('RequestHandler');
$this->loadComponent('Flash');
/*
* Enable the following component for recommended CakePHP form protection settings.
* see https://book.cakePHP.org/4/en/controllers/components/form-protection.html
*/
$this->loadComponent('FormProtection');
}
再一次,一切似乎都运行良好,但我发现如果用户在提交之前将它们打开一段时间,我的应用程序在提交表单时会抛出以下错误。
从 ckdir/logs/error.log:
2021-02-28 02:28:24 Error: [Cake\Http\Exception\BadRequestException] Bad Request in /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Controller/Component/FormProtectionComponent.PHP on line 143
Stack Trace:
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Controller/Component/FormProtectionComponent.PHP:97
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Event/EventManager.PHP:309
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Event/EventManager.PHP:286
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Event/EventdispatcherTrait.PHP:92
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Controller/Controller.PHP:579
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Controller/ControllerFactory.PHP:96
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Http/BaseApplication.PHP:313
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Http/Runner.PHP:77
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Http/Middleware/CsrfProtectionMiddleware.PHP:169
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Http/Runner.PHP:73
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Http/Middleware/BodyParserMiddleware.PHP:164
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Http/Runner.PHP:73
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Routing/Middleware/RoutingMiddleware.PHP:161
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Http/Runner.PHP:73
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Routing/Middleware/AssetMiddleware.PHP:68
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Http/Runner.PHP:73
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Error/Middleware/ErrorHandlerMiddleware.PHP:126
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Http/Runner.PHP:73
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Http/Runner.PHP:58
- /home3/anagrame/public_html/anagramador2/cakedir/vendor/cakePHP/cakePHP/src/Http/Server.PHP:90
- /home3/anagrame/public_html/anagramador2/cakedir/webroot/index.PHP:40
Request URL: /anagramas/anagramador
Referer URL: http://example.com/anagramas/anagramador
This appears in the view after submitting with DEBUG enabled
到目前为止,我还没有找到有关如何使用/配置组件的详细说明,但我明白(我错了吗?)这是某种标准行为。表单过期,因为在很长时间后提交表单被认为是可疑的。但这给我的用户带来了糟糕的体验,因为作为参考站点,他们通常会长时间保持打开状态,并仅在进行现场或在线拼字游戏时才使用它。错误页面出现的频率太高。他们被迫返回首页,然后返回搜索视图。
所以我的问题是:
- 该过期时间可以延长吗?如果我延长它,我会失去安全性吗?
- 禁用 FormProtection 组件会有多糟糕?我的网站不需要用户注册或登录。它不处理诸如姓名、电子邮件、密码之类的敏感数据……除了存储在数据库中的单词外,什么也不处理。据我所知,我之前版本的应用程序之前没有出现任何安全问题,即使我 10 年来从未关心过它。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)