NAME

CGI::Application::Plugin::ProtectCSRF - Plug-in protected from CSRF

VERSION

0.02

SYSNPSIS

use Your::App;
use CGI::Application::Plugin::Session; # require!!
use CGI::Application::Plugin::ProtectCSRF;

DESCRIPTION

CGI::Application::Plugin::ProtectCSRF is C::A::P protected from CSRF.

When CSRF is detected, 403 Forbidden is returned and processing is interrupted.

METHOD

add_postonly_runmodes

Runmodes set to runmodes returns add_postonly_runmodes "Forbidden" excluding POST Request.

Example :

sub setup { # or cgiapp_init

   my $self = shift;
   ....
   # When requests other than POST come to mode1, mode2, and mode3, Forbidden is 
   # returned.
   $self->add_postonly_runmodes(qw(mode1 mode2 mode3));
}

delete_postonly_runmodes

To cancel runmode set with add_postonly_runmodes, it executes it.

Example :

$self->delete_postonly_runmodes(qw(mode1 mode2 mode3));

clear_csrfid

Clear csrfid. It is preferable to make it execute after processing ends.

Input screen => confirmation screen => completion screen(here!!)

Example :

sub input {
  my $self = shift;
  ....
}

sub confirm {
  my $self = shift;
  ....
}

sub complete {
  my $self = shift;
  ...process start(DB insert etc..)
  $self->clear_csrfid;
  ....
}

is_post_request

Check request method.If request method is POST, 1 is returned.

Example :

my $post_flag;
if($self->is_post_request){
   # $self->query->request_method or $ENV{REQUEST_METHOD} is POST
}else{
   # not POST
}

CAUTION

It has only the protection function of basic CSRF,and mount other security checks in the application, please.

SEE ALSO

Carp CGI::Application CGI::Application::Plugin::Session Exporter Digest::SHA1 HTML::TokeParser List::Util

AUTHOR

Akira Horimoto <kurt0027@gmail.com>

COPYRIGHT

Copyright (C) 2006 Akira Horimoto

This module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

cpanm CGI::Application::Plugin::ProtectCSRF

perl -MCPAN -e shell
install CGI::Application::Plugin::ProtectCSRF