[html-formfu] Include Catalyst::Controller::RequestToken in C::C::HTML::FormFu

onken at houseofdesign.de onken at houseofdesign.de
Thu Jan 15 11:51:56 GMT 2009


Hi,

what do you think about including
http://search.cpan.org/perldoc?Catalyst::Controller::RequestToken in the
FormFu controller?
CSRF is a serious problem and RequestToken can protect you against that
threat.

If you think this is a good idea I will start writing a patch for the
controller.

This is how I would do it:

* RequestToken expects a field with the name "_token" to be present so I
will add this as a hidden field by default.
* this field has a constraint attached which checks whether the token is
valid.
* This feature is disabled by default for backwards compatibility.
* enable this feature with __PACKAGE__->config->{token}

cheers,

moritz



More information about the HTML-FormFu mailing list