On Sun, Mar 28, 2010 at 6:05 PM, Tomas Doran <[email protected]> wrote:
> > On 29 Mar 2010, at 01:06, Bill Moseley wrote: > >> >> I do this -- every POST must include token, and the token can only be used >> once. That means the the form must be fetched before bing posted (to >> generate the token). >> > > Have anything generic you'd care to share? :) Nothing generic -- and it's not rocket science, either. Or very glamorous. I simply have a template macro for creating my <form> tag which also includes the hidden field with the token id. Then part of form validation processed used for every post I check that the token was provided and is valid. The token is either in the database or in memcached. (I have a form_posted() method that does this check, along check for the correct method (PUT or POST) .) > The issue is that if you're generating a form in javascript, and submitting > it in javascript, then something finding forms in the page output (and > adding a token automatically), which was what I initially suggested - would > fail to find the form, and ergo you'd have an issue :) > > (i.e. it couldn't 'just work automatically' in that case without the > application collaborating in some manor). I think I get it. Thanks, > > -- Bill Moseley [email protected]
_______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
