Form Bots and the Authenticity Token

How are bots able to create authenticity tokens that are valid? I
thought
for sure authenticity tokens would make my forms bullet proof for bots.

Thanks,
Tom

from my experience, the best is to use some questions like ‘what date is
today’ or ‘what color do cranberries have’ … :slight_smile:

this is absolutely bulletproof

tom

On Jul 27, 2012, at 22:24 , Tom R. [email protected] wrote:

For more options, visit https://groups.google.com/groups/opt_out.

Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz

The authenticity token just ensures that the “agent” (person or bot) who
submits the form first has to request the form. (right?)

If it’s a public form, a bot is just as capable of requesting the form,
saving the authenticity token, and submitting it back with the
authenticity token.

The only real way to guard against bots is Captcha

Yes, but it that case I would expect to see a GET request where they get
the token before they actually POST the form? If I look in the logs all
I
see are these bots posting over and over again with different tokens,
but
apparently all legit.

Auth token is based on the current session only, so it prevents user
from
submiting a form in the name of another user, but does nothing to check
if
he’s a human.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs