Make life a little more difficult for spammers

Sessions are now stored in a cookie (signed and Base-64 encoded).
Form_spam_protection stores form_keys in the session.
Make sure spambots implement both cookies and javascript, by storing hashed (with salt) keys in the session.

vendor/plugins/form_spam_protection/lib/form_spam_protection.rb

@@ -13,11 +13,14 @@ module FormSpamProtection
   
   def protect_form_handler_from_spam
     unless request.get? || request.xml_http_request?
-      if params[:_form_key] && session[:form_keys] && session[:form_keys].keys.include?(params[:_form_key])
+      if params[:_form_key] && session[:form_keys] 
-        session[:form_keys][params[:_form_key]][1] += 1
+        key = session.dbman.generate_digest(params[:_form_key])
-        if session[:form_keys][params[:_form_key]][1] >= 4
+        if session[:form_keys].keys.include?(key)
-          render :text => "You cannot resubmit this form again.", :layout => 'error', :status => 403
+          session[:form_keys][key][1] += 1
-          return false
+          if session[:form_keys][key][1] >= 4
+            render :text => "You cannot resubmit this form again.", :layout => 'error', :status => 403
+            return false
+          end
         end
       else
         render :text => "You must have Javascript on to submit this form.", :layout => 'error', :status => 403

vendor/plugins/form_spam_protection/lib/form_tag_helper_extensions.rb

@@ -8,7 +8,7 @@ module ActionView
           if name == :form && @protect_form_from_spam
             session[:form_keys] ||= {}
             form_key = Digest::SHA1.hexdigest(self.object_id.to_s + rand.to_s)
-            session[:form_keys][form_key] = [Time.now, 0]
+            session[:form_keys][session.dbman.generate_digest(form_key)] = [Time.now, 0]
             if session[:form_keys].length > 30
               first = session[:form_keys].values.sort { |a,b| a[0] <=> b[0] } [0]
               session[:form_keys].delete(session[:form_keys].index(first))