NAME CGI::Application::Plugin::ProtectCSRF - Plug-in protected from CSRF VERSION 1.00 SYNPSIS use Your::App; use base qw(CGI::Application); use CGI::Application::Plugin::Session; # require!! use CGI::Application::Plugin::ProtectCSRF; sub input_form : PublishCSRFID { my $self = shift; do_something(); } sub finish : ProtectCSRF { my $self = shift; $self->clear_csrf_id; do_something(); } DESCRIPTION CGI::Application::Plugin::ProtectCSRF is C::A::P protected from CSRF. When CSRF is detected, Forbidden is returned and processing is interrupted. ACTION PublishCSRFID PublishCSRFID is action publishes CSRF ticket. CSRF ticket is published when I define it as an attribute of runmode method publishing CSRF ticket, and it is saved in session. If there is form tag in HTML to display after the processing end, as for runmode method to publish, CSRF ticket is set automatically by hidden field # publish CSRF ticket sub input_form: PublishCSRFID { my $self = shift; return < HTML } # display html source
ProtectCSRF ProtectCSRF is action to protect from CSRF Attack. If session CSRF ticket does not accord with query CSRF ticket, application consideres it to be CSRF attack and refuse to access it. Carry out the processing that you want to perform after having carried out clear_csrf_id method when access it, and it was admitted. sub finish : ProtectCSRF { my $self = shift; $self->clear_csrf_id; # require! There is not a meaning unless I do it do_something(); # The processing that you want to performiDB processing etcj } METHOD csrf_id Get ticket for protect CSRF Example: sub input_form : PublishCSRFID { my $self = shift; my $csrf_id = $self->csrf_id; do_something(); } protect_csrf_config Initialize ProtectCSRF Option: csrf_error_status : CSRF error status code (default: 200) csrf_error_mode : CSRF error runmode name (default: _csrf_error) csrf_error_tmpl : CSRF error display html. scalarref or filepath or filehandle (default: $CSRF_ERROR_TMPL - scalarref) csrf_error_tmpl_param : CSRF error display html parameter (for HTML::Template) csrf_id : CSRF ticket name (default: _csrf_id) csrf_post_only : CSRF protect runmode request method check(default:0 1:POST Only) Example: sub cgiapp_init { my $self = shift; $self->tmpl_path("/path/to/template"); $self->protect_csrf_config( csrf_error_status => 403, # change forbidden csrf_error_tmpl => "csrf_error.tmpl", csrf_error_tmpl_param => { TITLE => "CSRF ERROR", MESSAGE => "your access is csrf!"}, csrf_id => "ticket_id", csrf_post_only => 1 ); } # csrf_error.tmpl