Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
Like I said, it depends on the method you choose, and it's difficult to implement something generic because it depends on that.
In my framework all requests go through a process of user authentification. Simplified, the user token in the database is checked and updated if it is too old. (I actually have two tokens which overlap.) If you are using Apache::AuthTicket you could add the code to a class that inherits from it.
In the template where I have form to be protected I just add the token into a hidden field with
[%= .user.token.hidden escape=0 %] which gives me the html for the hidden field.
Wherever a request is made that requires a valid token I simply write:
which automatically throws an exception if the token parameter is invalid, which is caught by the framework and a short error message is displayed. Since I have two overlapping tokens this should never happen except somebody has an open form and presses submit after a long time (12 hours for example).

So for each request/form that needs to be protected there is only one line to be added per template and perl code.
You can even put the require_token call into the framework code before the actual method is called; do this for every post request. (and in the actual code also check for post; this should be done anyway).
but I'm not sure if this is a good idea. Then you have to add the token to every post form, even if a valid token is not needed. Or you do it the other way round and explicitly define which requests don't need a check. This way it cannot be forgotten when adding new code.

In reply to Re^3: Apache2::AuthCookieDBI, Mason, and protecting against Cross-Site Request Forgery (CSRF) by tinita
in thread Apache2::AuthCookieDBI, Mason, and protecting against Cross-Site Request Forgery (CSRF) by Anonymous Monk

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and all is quiet...

    How do I use this? | Other CB clients
    Other Users?
    Others having an uproarious good time at the Monastery: (5)
    As of 2018-01-20 14:05 GMT
    Find Nodes?
      Voting Booth?
      How did you see in the new year?

      Results (226 votes). Check out past polls.