[cgiapp] CAP::Security::CSRF -- useful?
Cosimo Streppone
cosimo at streppone.it
Sun Nov 29 08:46:12 EST 2009
In data 29 novembre 2009 alle ore 00:21:13, Mark Rajcok
<mrajcok at gmail.com> ha scritto:
> I want to guard against multiple form submissions (reload, resubmit,
> etc.)
> and CSRF in my app:
> http://en.wikipedia.org/wiki/Cross-site_request_forgery
> http://www.perlmonks.org/?node_id=606832
> I hacked up a simple plugin. Do you think it would be useful? or might
> something like this already exist?
>
> [...]
>
> # generate a new token for this new form
> my $token = sha1_base64($self->session->param('_SESSION_ID') . time);
Hi,
I think the idea is really good.
In the token generation, I would try to be less predictable,
and inject a secret string coming from a config file,
something like:
my $token = sha1_base64( join '/',
$self->config('csrf-seed'),
$self->session->param('_SESSION_ID'),
time
);
So even if you know that a specific app is made with CGI::Application
and it uses CSRF protection, you have lower chances of
predicting the exact sha1 hash that will be generated.
--
Cosimo
More information about the cgiapp
mailing list