Yes, but it that case I would expect to see a GET request where they get the token before they actually POST the form? If I look in the logs all I see are these bots posting over and over again with different tokens, but apparently all legit.
On Friday, July 27, 2012 5:01:07 PM UTC-4, Jason FB wrote: > > The authenticity token just ensures that the "agent" (person or bot) who > submits the form first has to request the form. (right?) > > If it's a public form, a bot is just as capable of requesting the form, > saving the authenticity token, and submitting it back with the authenticity > token. > > The only real way to guard against bots is Captcha > > > > > > On Jul 27, 2012, at 4:24 PM, Tom Rossi wrote: > > How are bots able to create authenticity tokens that are valid? I thought > for sure authenticity tokens would make my forms bullet proof for bots. > > Thanks, > Tom > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-talk/-/Y70xtlw-zlsJ. > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/qUMyyAdtNfIJ. For more options, visit https://groups.google.com/groups/opt_out.