Catalyst::Plugin::FormCanary - check that forms are submitted from your site
use Catalyst qw(... Session ... FormCanary ...);
FormCanary will examine your outgoing HTML and add a canary value to each form. When the form is submitted, the value of the canary is compared against one saved in the session at page generation time. If the canary that's sent doesn't match the one in the session (or there is no canary at all), the request is halted.
There is no way to get params into your application without a correct canary. This is good for preventing "cross-site request attacks".
This module is compatible with FormBuilder. Just drop it into your use line and have secure submit-once-only forms. Yay.
Don't delete the canary, in case resubmitting is OK.
Make this an ActionClass so you can apply the check to a single action instead of everything.
Make the error nicer than die.
You need Catalyst::Plugin::Session up and running.
Jonathan Rockway, <jrockway at cpan.org>
Please report any bugs or feature requests to bug-catalyst-plugin-formcanary at rt.cpan.org, or through the web interface at http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Catalyst-Plugin-FormCanary. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.
irc://irc.perl.org/#catalyst is also a good place to ask for help.
Clone from:
git clone git://git.jrock.us/Catalyst-Plugin-FormCanary
Or view online at http://git.jrock.us/?p=Catalyst-Plugin-FormCanary.git
This site gave me the idea:
http://www.25hoursaday.com/weblog/2007/06/05/WhatRubyOnRailsCanLearnFromASPNET.aspx
Copyright 2007 Jonathan Rockway, all rights reserved.
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
