Hello, We're looking to increase our application security foundation by adding Nonces to our HTML forms. A Nonce is a one-use token, generated with the form and validated with the submission, that helps to mitigate CSRF (cross site request forgery) attacks. A quick search of CPAN doesn't show many available options so I'm thinking of writing a module myself.
A couple questions ... 1) Are there existing Nonce solutions that I might be overlooking? 2) What's the best way to integrate the concept into CGI::Application? (Plugin?) I have a prototype coded up already that adds some methods to a base class that extends CGI::Application. It generates and stores the Nonces in a CGI::Application::Plugin::Session store and then validates against that store later. Is it common/acceptable for Plugins to have dependencies on other Plugins? My current prototype requires changing the application to add calls to generate, validate, and expunge the Nonce tokens. Once a Nonce is generated, it's placed into a template var that in turn populates a hidden form field. Is there a more transparent / automated way of inserting the Nonce into the form or is it reasonable to expect the application to handle this in its runmodes? I'm interested in any feedback you might have on my specific questions or any insight that you might have having worked with Nonces in other applications or frameworks. My experience is limited. Thanks, Todd ##### CGI::Application community mailing list ################ ## ## ## To unsubscribe, or change your message delivery options, ## ## visit: http://www.erlbaum.net/mailman/listinfo/cgiapp ## ## ## ## Web archive: http://www.erlbaum.net/pipermail/cgiapp/ ## ## Wiki: http://cgiapp.erlbaum.net/ ## ## ## ################################################################