How are bots able to create authenticity tokens that are valid? I thought for sure authenticity tokens would make my forms bullet proof for bots. Thanks, Tom -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/Y70xtlw-zlsJ. For more options, visit https://groups.google.com/groups/opt_out.
from my experience, the best is to use some questions like ''what date is today'' or ''what color do cranberries have'' .. :) this is absolutely bulletproof tom On Jul 27, 2012, at 22:24 , Tom Rossi <tom-5bxIUPmzHicFraO2wh7vUA@public.gmane.org> wrote:> How are bots able to create authenticity tokens that are valid? I thought for sure authenticity tokens would make my forms bullet proof for bots. > > Thanks, > Tom > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/Y70xtlw-zlsJ. > For more options, visit https://groups.google.com/groups/opt_out. > >-- ==============================================================================Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz ============================================================================== -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
The authenticity token just ensures that the "agent" (person or bot) who submits the form first has to request the form. (right?) If it''s a public form, a bot is just as capable of requesting the form, saving the authenticity token, and submitting it back with the authenticity token. The only real way to guard against bots is Captcha On Jul 27, 2012, at 4:24 PM, Tom Rossi wrote:> How are bots able to create authenticity tokens that are valid? I thought for sure authenticity tokens would make my forms bullet proof for bots. > > Thanks, > Tom > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/Y70xtlw-zlsJ. > For more options, visit https://groups.google.com/groups/opt_out. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
Auth token is based on the current session only, so it prevents user from submiting a form in the name of another user, but does nothing to check if he''s a human. On Saturday, July 28, 2012 12:01:07 AM UTC+3, Jason FB wrote:> > The authenticity token just ensures that the "agent" (person or bot) who > submits the form first has to request the form. (right?) > > If it''s a public form, a bot is just as capable of requesting the form, > saving the authenticity token, and submitting it back with the authenticity > token. > > The only real way to guard against bots is Captcha > > > > > > On Jul 27, 2012, at 4:24 PM, Tom Rossi wrote: > > How are bots able to create authenticity tokens that are valid? I thought > for sure authenticity tokens would make my forms bullet proof for bots. > > Thanks, > Tom > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-talk/-/Y70xtlw-zlsJ. > For more options, visit https://groups.google.com/groups/opt_out. > > > > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/erb-QW-WXhUJ. For more options, visit https://groups.google.com/groups/opt_out.
Yes, but it that case I would expect to see a GET request where they get the token before they actually POST the form? If I look in the logs all I see are these bots posting over and over again with different tokens, but apparently all legit. On Friday, July 27, 2012 5:01:07 PM UTC-4, Jason FB wrote:> > The authenticity token just ensures that the "agent" (person or bot) who > submits the form first has to request the form. (right?) > > If it''s a public form, a bot is just as capable of requesting the form, > saving the authenticity token, and submitting it back with the authenticity > token. > > The only real way to guard against bots is Captcha > > > > > > On Jul 27, 2012, at 4:24 PM, Tom Rossi wrote: > > How are bots able to create authenticity tokens that are valid? I thought > for sure authenticity tokens would make my forms bullet proof for bots. > > Thanks, > Tom > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-talk/-/Y70xtlw-zlsJ. > For more options, visit https://groups.google.com/groups/opt_out. > > > > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/qUMyyAdtNfIJ. For more options, visit https://groups.google.com/groups/opt_out.