Saturday, July 28, 2012
Auth token is based on the current session only, so it prevents user from submiting a form in the name of another user, but does nothing to check if he's a human.
On Saturday, July 28, 2012 12:01:07 AM UTC+3, Jason FB wrote:
--The authenticity token just ensures that the "agent" (person or bot) who submits the form first has to request the form. (right?)If it's a public form, a bot is just as capable of requesting the form, saving the authenticity token, and submitting it back with the authenticity token.The only real way to guard against bots is CaptchaOn Jul 27, 2012, at 4:24 PM, Tom Rossi wrote:How are bots able to create authenticity tokens that are valid? I thought for sure authenticity tokens would make my forms bullet proof for bots.Thanks,Tom--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com .
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com .
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/ .Y70xtlw-zlsJ
For more options, visit https://groups.google.com/groups/opt_out .
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/erb-QW-WXhUJ.
For more options, visit https://groups.google.com/groups/opt_out.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment