[CAF] Re: Form state (was Re: who's doing what?)
magog at the-wire.com
Thu Oct 20 16:31:17 EDT 2005
"G. Matthew Rice" <matt at starnix.com> wrote:
> Michael Graham <magog at the-wire.com> writes:
> > Based on discussions with Richard and Cees Hek, I wrote a module for
> > this purpose:
> > http://search.cpan.org/dist/CGI-Application-Plugin-FormState
> > It puts a single hidden field in your form:
> > <input type="hidden" name="cap_form_state" value="<tmpl_var cap_form_state>">
> > And it uses the value of this field as a key in the user's session where
> > the actual data is stored:
> How do the session_id and checksum values work into this?
The make_link stuff (which incidentally has been spun off into
CAP::LinkIntegrity) still should work fine.
Basically, we've split the protection of links and the protection of
POST forms into two independent systems that work side by side.
Think of CAP::FormState as a secure replacement for hidden fields.
The link still has a checksum to guard its parameters. The POSTed data
is protected by CAP::FormState in the sense that there are no insecure
hidden fields. All POSTed data comes from the user.
Michael Graham <magog at the-wire.com>
More information about the caf