Hello,
We're looking to increase our application security foundation by adding Nonces
to our HTML forms. A Nonce is a one-use token, generated with the form and
validated with the submission, that helps to mitigate CSRF (cross site request
forgery) attacks. A quick search of CPAN doesn't show many available options
so
I'm thinking of writing a module myself.
A couple questions ...
1) Are there existing Nonce solutions that I might be overlooking?
2) What's the best way to integrate the concept into CGI::Application?
(Plugin?)
I have a prototype coded up already that adds some methods to a base class that
extends CGI::Application. It generates and stores the Nonces in a
CGI::Application::Plugin::Session store and then validates against that store
later. Is it common/acceptable for Plugins to have dependencies on other
Plugins? My current prototype requires changing the application to add calls
to
generate, validate, and expunge the Nonce tokens. Once a Nonce is generated,
it's placed into a template var that in turn populates a hidden form field. Is
there a more transparent / automated way of inserting the Nonce into the form
or
is it reasonable to expect the application to handle this in its runmodes?
I'm interested in any feedback you might have on my specific questions or any
insight that you might have having worked with Nonces in other applications or
frameworks. My experience is limited.
Thanks,
Todd
# CGI::Application community mailing list
####
## To unsubscribe, or change your message delivery options, ##
## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp##
####
## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ##
## Wiki: http://cgiapp.erlbaum.net/ ##
####
