Auth token is based on the current session only, so it prevents user from submiting a form in the name of another user, but does nothing to check if he's a human.
On Saturday, July 28, 2012 12:01:07 AM UTC+3, Jason FB wrote: > > The authenticity token just ensures that the "agent" (person or bot) who > submits the form first has to request the form. (right?) > > If it's a public form, a bot is just as capable of requesting the form, > saving the authenticity token, and submitting it back with the authenticity > token. > > The only real way to guard against bots is Captcha > > > > > > On Jul 27, 2012, at 4:24 PM, Tom Rossi wrote: > > How are bots able to create authenticity tokens that are valid? I thought > for sure authenticity tokens would make my forms bullet proof for bots. > > Thanks, > Tom > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-talk/-/Y70xtlw-zlsJ. > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/erb-QW-WXhUJ. For more options, visit https://groups.google.com/groups/opt_out.