in reply to Apache2::AuthCookieDBI, Mason, and protecting against Cross-Site Request Forgery (CSRF)
The principle is always the same: if a http request can be forged by a different website, and the user is authenticated by cookie, you cannot know if the user made the request theirselves. So you have to put an additional parameter into the form (or query string) with which you can check that the user is really authenticated. Something that the attacker website cannot know. So you can simply use the session id and let the backend compare cookie and form parameter; or if you want to avoid putting the session id into the HTML, create an extra token for the user and save it in the database. Additionally you should change the token regularly.
I don't know if any of the frameworks has automated support for this. You need an easy way to put the token parameter into every HTML form, and an easy method to check the token on every form submit, that's all.