Make life a little more difficult for spammers

Sessions are now stored in a cookie (signed and Base-64 encoded).
Form_spam_protection stores form_keys in the session.
Make sure spambots implement both cookies and javascript, by storing hashed (with salt) keys in the session.
This commit is contained in:
Jacques Distler 2008-01-18 14:49:28 -06:00
parent e7d080db25
commit bb3ccfed4e
2 changed files with 9 additions and 6 deletions

View file

@ -13,12 +13,15 @@ module FormSpamProtection
def protect_form_handler_from_spam
unless request.get? || request.xml_http_request?
if params[:_form_key] && session[:form_keys] && session[:form_keys].keys.include?(params[:_form_key])
session[:form_keys][params[:_form_key]][1] += 1
if session[:form_keys][params[:_form_key]][1] >= 4
if params[:_form_key] && session[:form_keys]
key = session.dbman.generate_digest(params[:_form_key])
if session[:form_keys].keys.include?(key)
session[:form_keys][key][1] += 1
if session[:form_keys][key][1] >= 4
render :text => "You cannot resubmit this form again.", :layout => 'error', :status => 403
return false
end
end
else
render :text => "You must have Javascript on to submit this form.", :layout => 'error', :status => 403
return false

View file

@ -8,7 +8,7 @@ module ActionView
if name == :form && @protect_form_from_spam
session[:form_keys] ||= {}
form_key = Digest::SHA1.hexdigest(self.object_id.to_s + rand.to_s)
session[:form_keys][form_key] = [Time.now, 0]
session[:form_keys][session.dbman.generate_digest(form_key)] = [Time.now, 0]
if session[:form_keys].length > 30
first = session[:form_keys].values.sort { |a,b| a[0] <=> b[0] } [0]
session[:form_keys].delete(session[:form_keys].index(first))