Make life a little more difficult for spammers
Sessions are now stored in a cookie (signed and Base-64 encoded). Form_spam_protection stores form_keys in the session. Make sure spambots implement both cookies and javascript, by storing hashed (with salt) keys in the session.
This commit is contained in:
parent
e7d080db25
commit
bb3ccfed4e
|
@ -13,12 +13,15 @@ module FormSpamProtection
|
|||
|
||||
def protect_form_handler_from_spam
|
||||
unless request.get? || request.xml_http_request?
|
||||
if params[:_form_key] && session[:form_keys] && session[:form_keys].keys.include?(params[:_form_key])
|
||||
session[:form_keys][params[:_form_key]][1] += 1
|
||||
if session[:form_keys][params[:_form_key]][1] >= 4
|
||||
if params[:_form_key] && session[:form_keys]
|
||||
key = session.dbman.generate_digest(params[:_form_key])
|
||||
if session[:form_keys].keys.include?(key)
|
||||
session[:form_keys][key][1] += 1
|
||||
if session[:form_keys][key][1] >= 4
|
||||
render :text => "You cannot resubmit this form again.", :layout => 'error', :status => 403
|
||||
return false
|
||||
end
|
||||
end
|
||||
else
|
||||
render :text => "You must have Javascript on to submit this form.", :layout => 'error', :status => 403
|
||||
return false
|
||||
|
|
|
@ -8,7 +8,7 @@ module ActionView
|
|||
if name == :form && @protect_form_from_spam
|
||||
session[:form_keys] ||= {}
|
||||
form_key = Digest::SHA1.hexdigest(self.object_id.to_s + rand.to_s)
|
||||
session[:form_keys][form_key] = [Time.now, 0]
|
||||
session[:form_keys][session.dbman.generate_digest(form_key)] = [Time.now, 0]
|
||||
if session[:form_keys].length > 30
|
||||
first = session[:form_keys].values.sort { |a,b| a[0] <=> b[0] } [0]
|
||||
session[:form_keys].delete(session[:form_keys].index(first))
|
||||
|
|
Loading…
Reference in a new issue