Implement XSRF for the admin

[tlaurion]

Would it be a good way? Catalyst::Controller::RequestToken

Also, the admin session is kept alive for a day? Why the default is so high?

[jrouzierinverse]

Had a discussion with @tlaurion about approaches.

We came up with the following approach.

For each request in a session a token is created. This token is added to a header and sent to the client. Also the token is added to the allowed tokens for this session.

Any destructive or resource intensive action such as update, remove, and sql searches will require a valid session token to be placed in a header.

Reads will not require a valid token to allow a user to refresh pages and have multiple pages open.

Any destructive action will accept any token created for a session.

Each destructive request would need to add the token header via javascript.

Things that can or should be explored

• How feasible it is to make a token single use only.
• Per controller tokens - nodes tokens cannot use users token
• How to refresh a token for a page after an AJAX call is made.
• Using input fields to send token.

[tlaurion]

General recommendation: Developers are encouraged to make use of both the JavaScript DOM Manipulation and the JSP tag library strategies for a complete token injection strategy. The JavaScript DOM Manipulation strategy is ideal as it is automated and requires minimal effort on behalf of the developer. SRC: OWASP

On using Pluck middleware to fix XSRF through DOM Manipulation strategy in perl under Catalyst: As far as fixing this goes, I was still looking for a solution to fix this in one place. The app is big enough on JS that I wasn't about to scour for every GET and fix this manually. It turns out that jQuery has a solution for this as well, courtesy of StackOverflow: SRC: blogs.perl.org