[CAF] Re: Form state (was Re: who's doing what?)

Michael Graham magog at the-wire.com
Thu Oct 20 16:31:17 EDT 2005

"G. Matthew Rice" <matt at starnix.com> wrote:
> Michael Graham <magog at the-wire.com> writes:
> > Based on discussions with Richard and Cees Hek, I wrote a module for
> > this purpose:
> >
> >     http://search.cpan.org/dist/CGI-Application-Plugin-FormState
> >
> > It puts a single hidden field in your form:
> >
> >     <input type="hidden" name="cap_form_state" value="<tmpl_var cap_form_state>">
> >
> > And it uses the value of this field as a key in the user's session where
> > the actual data is stored:

> How do the session_id and checksum values work into this?

The make_link stuff (which incidentally has been spun off into
CAP::LinkIntegrity) still should work fine.

Basically, we've split the protection of links and the protection of
POST forms into two independent systems that work side by side.

Think of CAP::FormState as a secure replacement for hidden fields.

The link still has a checksum to guard its parameters.  The POSTed data
is protected by CAP::FormState in the sense that there are no insecure
hidden fields.  All POSTed data comes from the user.


Michael Graham <magog at the-wire.com>

More information about the caf mailing list