Form Bots and the Authenticity Token

aris · July 27, 2012, 10:25pm

How are bots able to create authenticity tokens that are valid? I
thought
for sure authenticity tokens would make my forms bullet proof for bots.

Thanks,
Tom

tomrobinson · July 27, 2012, 10:48pm

from my experience, the best is to use some questions like ‘what date is
today’ or ‘what color do cranberries have’ …

this is absolutely bulletproof

tom

On Jul 27, 2012, at 22:24 , Tom R. [email protected] wrote:

For more options, visit https://groups.google.com/groups/opt_out.

–

Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz

tomrobinson · July 27, 2012, 11:02pm

The authenticity token just ensures that the “agent” (person or bot) who
submits the form first has to request the form. (right?)

If it’s a public form, a bot is just as capable of requesting the form,
saving the authenticity token, and submitting it back with the
authenticity token.

The only real way to guard against bots is Captcha

tomrobinson · July 29, 2012, 11:37pm

Yes, but it that case I would expect to see a GET request where they get
the token before they actually POST the form? If I look in the logs all
I
see are these bots posting over and over again with different tokens,
but
apparently all legit.

tomrobinson · July 29, 2012, 10:48pm

Auth token is based on the current session only, so it prevents user
from
submiting a form in the name of another user, but does nothing to check
if
he’s a human.