[cgiapp] FormKeys / Nonce

[Todd Ross]

Hello,

We're looking to increase our application security foundation by adding Nonces 
to our HTML forms.  A Nonce is a one-use token, generated with the form and 
validated with the submission, that helps to mitigate CSRF (cross site request 
forgery) attacks.  A quick search of CPAN doesn't show many available options so 
I'm thinking of writing a module myself.

A couple questions ...

1) Are there existing Nonce solutions that I might be overlooking?
2) What's the best way to integrate the concept into CGI::Application?  
(Plugin?)

I have a prototype coded up already that adds some methods to a base class that 
extends CGI::Application.  It generates and stores the Nonces in a 
CGI::Application::Plugin::Session store and then validates against that store 
later.  Is it common/acceptable for Plugins to have dependencies on other 
Plugins?  My current prototype requires changing the application to add calls to 
generate, validate, and expunge the Nonce tokens.  Once a Nonce is generated, 
it's placed into a template var that in turn populates a hidden form field.  Is 
there a more transparent / automated way of inserting the Nonce into the form or 
is it reasonable to expect the application to handle this in its runmodes?

I'm interested in any feedback you might have on my specific questions or any 
insight that you might have having worked with Nonces in other applications or 
frameworks.  My experience is limited.

Thanks,

Todd