[html-formfu] Include Catalyst::Controller::RequestToken in
C::C::HTML::FormFu
onken at houseofdesign.de
onken at houseofdesign.de
Thu Jan 15 11:51:56 GMT 2009
Hi,
what do you think about including
http://search.cpan.org/perldoc?Catalyst::Controller::RequestToken in the
FormFu controller?
CSRF is a serious problem and RequestToken can protect you against that
threat.
If you think this is a good idea I will start writing a patch for the
controller.
This is how I would do it:
* RequestToken expects a field with the name "_token" to be present so I
will add this as a hidden field by default.
* this field has a constraint attached which checks whether the token is
valid.
* This feature is disabled by default for backwards compatibility.
* enable this feature with __PACKAGE__->config->{token}
cheers,
moritz
More information about the HTML-FormFu
mailing list