CakePHP security


I develop a web application with CakePHP 2.9.9 where users can register and should use the application within their respective user role context. Before I will go online, I would like to ask some things about how to make the application more secure apart from activating the security component.

I guess I have to read out essential things like the user id or the user role in every function by using AuthComponent::user(‘id’) to get fresh data and prevent manipulating user rights?

Do you recommend using ACLs in any case, or is it more likely for complex applications? My application is not highly complex and I think that using ACLs do not help me to protect users from manipulating sent GET or POST IDs I usefor reading or writing records. If I have to code my own protection anyway, I’m not sure if it is worthwhile to use ACL as a blackbox and cannot assess the risc of getting corrupt ACL data later.

I use cookies to store checkout data, for example the id of a location a user chose in a previous step (an earlier form). The previously chosen data should have been generated and verified in the respective checkout step due to form tampering protection, but how secure is it to rely on these data when reading out the cakephp cookies in a later step and write this data to the database or do some verification queries? The Problem is, that it would be very elaborate to do all the checks again and again subsequently without having the context of the earlier controller functions.

Are view variables or other data visible to users with debug level set to 0 in any scenario? When developing it is very helpful to use debug kit and view all the data. But which data can be gathered without debugging?