In data 29 novembre 2009 alle ore 00:21:13, Mark Rajcok <[email protected]> ha scritto:
> I want to guard against multiple form submissions (reload, resubmit, > etc.) > and CSRF in my app: > http://en.wikipedia.org/wiki/Cross-site_request_forgery > http://www.perlmonks.org/?node_id=606832 > I hacked up a simple plugin. Do you think it would be useful? or might > something like this already exist? > > [...] > > # generate a new token for this new form > my $token = sha1_base64($self->session->param('_SESSION_ID') . time); Hi, I think the idea is really good. In the token generation, I would try to be less predictable, and inject a secret string coming from a config file, something like: my $token = sha1_base64( join '/', $self->config('csrf-seed'), $self->session->param('_SESSION_ID'), time ); So even if you know that a specific app is made with CGI::Application and it uses CSRF protection, you have lower chances of predicting the exact sha1 hash that will be generated. -- Cosimo ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################
