Open tlaurion opened 7 years ago
Had a discussion with @tlaurion about approaches.
We came up with the following approach.
For each request in a session a token is created. This token is added to a header and sent to the client. Also the token is added to the allowed tokens for this session.
Any destructive or resource intensive action such as update, remove, and sql searches will require a valid session token to be placed in a header.
Reads will not require a valid token to allow a user to refresh pages and have multiple pages open.
Any destructive action will accept any token created for a session.
Each destructive request would need to add the token header via javascript.
Things that can or should be explored
General recommendation:
Developers are encouraged to make use of both the JavaScript DOM Manipulation and the JSP tag library strategies for a complete token injection strategy. The JavaScript DOM Manipulation strategy is ideal as it is automated and requires minimal effort on behalf of the developer.
SRC: OWASP
On using Pluck middleware to fix XSRF through DOM Manipulation strategy in perl under Catalyst:
As far as fixing this goes, I was still looking for a solution to fix this in one place. The app is big enough on JS that I wasn't about to scour for every GET and fix this manually. It turns out that jQuery has a solution for this as well, courtesy of StackOverflow:
SRC: blogs.perl.org
Would it be a good way? Catalyst::Controller::RequestToken
Also, the admin session is kept alive for a day? Why the default is so high?