PrePAN

Sign in to PrePAN

HTML::FormHandlerX::RequestToken HTML::FormHandler with session tokens to foil CSRF attacks

Author
robrwo@github
Date
URL
Status
In Review
Good

Synopsis

# In your form, make it an extension of 'HTML::FormHandlerX::RequestToken' instead of
# 'HTML::FormHandler::Moose' and add the field:

    has_field 'token' => (
        type     => 'RequestToken',
    );

# and in your form template, add

  <input type="hidden" name="token" value="[% token %]" />

# (using the appropriate templating language ;). 

# In the controller, where the form is being prepared, add add the code

    my $form = MyForm->new( ctx => $c );

    $c->stash->{token} = $form->session_token;

# and where the form is successfully processed, add the code

    $form->clear_session_context;

# to reset the token when it is no longer needed.

Description

This would be similar to Catalyst::Controller::RequestToken, but that module requires different controller methods for displaying the form and processing the response.

Instead, this module would extend HTML::FormHandler with a lazy attribute that contains a random token. A new field type "RequestToken" would check against the request token.

To use, one need only provide the token to the displayed form, and add a field for the request token type.

Comments

Please sign up to post a review.