GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  CATALYST::CONTROLLER::REQUESTTOKEN (3)

.ds Aq ’

NAME

Catalyst::Controller::RequestToken - Handling transaction tokens across forms

CONTENTS

SYNOPSIS

requires Catalyst::Plugin::Session module, in your application class:



    use Catalyst qw/
        Session
        Session::State::Cookie
        Session::Store::FastMmap
        FillInForm
     /;



in your controller class:



    use base qw(Catalyst::Controller::RequestToken);

    sub form :Local {
        my ($self, $c) = @_;
        $c->stash( template => form.tt );
    }

    sub confirm :Local :CreateToken {
        my ($self, $c) = @_;
        $c->stash( template => confirm.tt );
    }

    sub complete :Local :ValidateToken {
        my ($self, $c) = @_;

        if ($self->valid_token($c)) {
            $c->response->body(complete.);
        }
        eles {
            $c->response->body(invalid operation.);
        }
    }



form.tt



    <html>
    <body>
    <form action="confirm" method="post">
    <input type="submit" name="submit" value="confirm"/>
    </form>
    </body>
    </html>



confirm.tt



    <html>
    <body>
    <form action="complete" method="post">
    <input type="hidden" name="_token" values="[% c.req.param(_token) %]"/>
    <input type="submit" name="submit" value="complete"/>
    </form>
    </body>
    </html>



DESCRIPTION

This controller enables to enforce a single transaction across multiple forms. Using a token, you can prevent duplicate submits and protect your app from CSRF atacks.

This module REQUIRES Catalyst::Plugin::Session to store server side token.

ATTRIBUTES

CreateToken Creates a new token and puts it into request and session. You can return content with request token which should be posted to server.
ValidateToken After CreateToken, clients will post token request, so you need to validate whether it is correct or not.

The ValidateToken attribute wil make your action validate the request token by comparing it to the session token which is created by the CreateToken attribute.

If the token is valid, the server-side token will be expired. Use is_valid_token() to check wheter the token in this request was valid or not.

RemoveToken Removes the token from the session. The request token will no longer be valid.

METHODS

All methods must be passed the request context as their first parameter.
token
create_token
remove_token
validate_token Return whether token is valid or not. This will work correctly only after ValidateToken.
is_valid_token

CONFIGRATION

in your application class:



    __PACKAGE__->config(Controller::TokenBasedMyController => {
        session_name => _token,
        request_name => _token,
    });



session_name Default: _token
request_name Default: _token
validate_stash_name Default: _token

SEE ALSO

Catalyst::Controller::RequestToken::Action::CreateToken
Catalyst::Controller::RequestToken::Action::ValidateToken
Catalyst
Catalyst::Controller
Catalyst::Plugin::Session
Catalyst::Plugin::FormValidator::Simple

AUTHOR

Hideo Kimura <<hide<at>hide-k.net>>

COPYRIGHT

This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

The full text of the license can be found in the LICENSE file included with this module.

Search for    or go to Top of page |  Section 3 |  Main Index


perl v5.20.3 CATALYST::CONTROLLER::REQUESTTOKEN (3) 2012-08-09

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.