On Wed, Oct 1, 2008 at 12:19 AM, Ashley <[EMAIL PROTECTED]> wrote: >> Form template: >> <form action="[% c.request.uri() %]" method="post"> >> [% USE Digest.SHA1 -%] >> <input type="hidden" value="csrf_check" value="[% c.sessionid | sha1_hex >> %]" /> >> </form>
On my personal site I do similar to this, but using jQuery to automatically add these to all forms and A links with class="requires-token". http://subtech.g.hatena.ne.jp/miyagawa/20080918/1221728765 Was talking about making Catalyst action to validate this token value as an action plugin, possibly in combination with jshirley's REST actions. > This won't work because the attacker can grab it by a GET Usually not. The only chance where your browser leaks these csrf_check values would be when your app is vulnerable to CSSXSS (very rare and IE specific) or when you have crossdomain.xml that allows everything to be accessible from flash scripts. http://www.arunranga.com/articles/browser-cross-site.html#Flash > and > while it doesn't expose the sessionid, it does remain constant > for the life of the session. As the white paper suggests, it > has to be pseudo-random and it looks like it has to be per > request. I agree on that it gives you a stronger security if the token is per-request instead of per-session but that's a trade-off. For instance per-request token breaks back-button-and-resubmit. Might be good if your site is a banking site and you don't want to duplicate the money transfers by back buttons, but that might not be the case if your site is more casual web 2.0 and does lots of XHR stuff with the same token etc. That said, Catalyst::Controller::RequestToken implements the per-request token and CSRF validation. http://search.cpan.org/~hide/Catalyst-Controller-RequestToken-0.01/ -- Tatsuhiko Miyagawa _______________________________________________ List: Catalyst@lists.scsys.co.uk Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/ Dev site: http://dev.catalyst.perl.org/