| Subject: | tokens out of cookies and cached or in hidden fields. |
hey dude,
i've just had a bit of a look at your plugin, and think its a good thing
(tm). I plan on implementing it in an application framework i have built
around CGI::Application.
Rather than sending the tokens off in a cookie there are a couple of
possible options (and i dont mind helping develop them with you):
1) a CAPTCHA will typicall be used in a form, why not include the token
in a hidden form field ala CGI::Application run modes? while it doesnt
solve the problem of sending the token to the client for analysis, it
does solve the problem of sending cookies against browsers who have
them turned off.
2) In my framework i'm using Apache::Cache. It would be possible to use
a memory cache to oranise this. your plugin would save the token
in the cache, and when the user submits their form, the plugin would
then go and search for said key in the cache.
i only say Apache::Cache because *i'm* using it, but the plugin could be
written to employ any pre built module, or something as simple as a tied
hash.
if you're interested let me know...