The authenticity token just ensures that the "agent" (person or bot) who submits the form first has to request the form. (right?)
If it's a public form, a bot is just as capable of requesting the form, saving the authenticity token, and submitting it back with the authenticity token. The only real way to guard against bots is Captcha On Jul 27, 2012, at 4:24 PM, Tom Rossi wrote: > How are bots able to create authenticity tokens that are valid? I thought > for sure authenticity tokens would make my forms bullet proof for bots. > > Thanks, > Tom > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-talk/-/Y70xtlw-zlsJ. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.