Auth token is based on the current session only, so it prevents user from
submiting a form in the name of another user, but does nothing to check if
he's a human.
On Saturday, July 28, 2012 12:01:07 AM UTC+3, Jason FB wrote:
The authenticity token just ensures that the agent (person or bot)
Yes, but it that case I would expect to see a GET request where they get
the token before they actually POST the form? If I look in the logs all I
see are these bots posting over and over again with different tokens, but
apparently all legit.
On Friday, July 27, 2012 5:01:07 PM UTC-4, Jason
How are bots able to create authenticity tokens that are valid? I thought
for sure authenticity tokens would make my forms bullet proof for bots.
Thanks,
Tom
--
You received this message because you are subscribed to the Google Groups Ruby
on Rails: Talk group.
To post to this group, send
from my experience, the best is to use some questions like 'what date is today'
or 'what color do cranberries have' .. :)
this is absolutely bulletproof
tom
On Jul 27, 2012, at 22:24 , Tom Rossi t...@themolehill.com wrote:
How are bots able to create authenticity tokens that are valid? I
The authenticity token just ensures that the agent (person or bot) who
submits the form first has to request the form. (right?)
If it's a public form, a bot is just as capable of requesting the form, saving
the authenticity token, and submitting it back with the authenticity token.
The only
5 matches
Mail list logo
