We'll update the documentation for our CSRF protection module which
describes its background, the solution we picked, and the migration path we
took. Once this is done - I'm on vacation for a week - we'll upload a tarball
to the file-storage.
Jeff, protecting OpenACS against CSRF protection is certainly a
time-consuming (and not exactly interesting) activity. The application I
converted had about 570 files - it was mostly mechanical and dull work and
took about 4 days.
The migration was as follows: For the first few weeks, the CSRF protection
module would only log "suspicious" accesses. Programmer and/or template
authors were notified of the suspicious attack and would check the affected
pages and templates - and protect them. That way we did not impact the
live site.
So I don't think it is too much work, it can be shared quite well, and it
must be done because OpenACS with its readable URLs is quite vulnerable to it.