Form Bots and the Authenticity Token

How are bots able to create authenticity tokens that are valid? I
for sure authenticity tokens would make my forms bullet proof for bots.


from my experience, the best is to use some questions like ‘what date is
today’ or ‘what color do cranberries have’ … :slight_smile:

this is absolutely bulletproof


On Jul 27, 2012, at 22:24 , Tom R. [email protected] wrote:

For more options, visit

Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

The authenticity token just ensures that the “agent” (person or bot) who
submits the form first has to request the form. (right?)

If it’s a public form, a bot is just as capable of requesting the form,
saving the authenticity token, and submitting it back with the
authenticity token.

The only real way to guard against bots is Captcha

Yes, but it that case I would expect to see a GET request where they get
the token before they actually POST the form? If I look in the logs all
see are these bots posting over and over again with different tokens,
apparently all legit.

Auth token is based on the current session only, so it prevents user
submiting a form in the name of another user, but does nothing to check
he’s a human.