Form Bots and the Authenticity Token
30 views
Skip to first unread message
Tom Rossi
Jul 27, 2012, 4:24:40 PM7/27/12
to rubyonra...@googlegroups.com
How are bots able to create authenticity tokens that are valid? I thought for sure authenticity tokens would make my forms bullet proof for bots.
Thanks,
Tom
Tom Meinlschmidt
Jul 27, 2012, 4:45:56 PM7/27/12
to rubyonra...@googlegroups.com
from my experience, the best is to use some questions like 'what date is today' or 'what color do cranberries have' .. :)
this is absolutely bulletproof
tom
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To unsubscribe from this group, send email to rubyonrails-ta...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/Y70xtlw-zlsJ.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
===============================================================================
Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache
www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz
===============================================================================
this is absolutely bulletproof
tom
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To unsubscribe from this group, send email to rubyonrails-ta...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/Y70xtlw-zlsJ.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
===============================================================================
Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache
www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz
===============================================================================
Jason Fleetwood-Boldt
Jul 27, 2012, 5:01:07 PM7/27/12
to rubyonra...@googlegroups.com
The authenticity token just ensures that the "agent" (person or bot) who submits the form first has to request the form. (right?)
If it's a public form, a bot is just as capable of requesting the form, saving the authenticity token, and submitting it back with the authenticity token.
The only real way to guard against bots is Captcha
Tom Rossi
Jul 29, 2012, 5:35:53 PM7/29/12
to rubyonra...@googlegroups.com
Yes, but it that case I would expect to see a GET request where they get the token before they actually POST the form? If I look in the logs all I see are these bots posting over and over again with different tokens, but apparently all legit.
On Friday, July 27, 2012 5:01:07 PM UTC-4, Jason FB wrote:
On Friday, July 27, 2012 5:01:07 PM UTC-4, Jason FB wrote:
The authenticity token just ensures that the "agent" (person or bot) who submits the form first has to request the form. (right?)If it's a public form, a bot is just as capable of requesting the form, saving the authenticity token, and submitting it back with the authenticity token.The only real way to guard against bots is Captcha
On Jul 27, 2012, at 4:24 PM, Tom Rossi wrote:
How are bots able to create authenticity tokens that are valid? I thought for sure authenticity tokens would make my forms bullet proof for bots.Thanks,Tom--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages