I've replied to this a couple of times, but it's been blocked by the mailing list software. One last try... On Sun, 6 Nov 2005 13:54:20 -0500 Steve Dondley <sdondley@gmail.com> wrote:
Some ISP's, like AOL, change a user's IP address from one page view to the next. It seems like this might cause a problem for the new forms API which uses the IP address to create a token used to validate a form. The IP address collected from the user when used the form gets loaded could be different from the IP address seen when submitting it.
The form validation code was originally added in this thread: http://drupal.org/node/28420 (see #23 - #26) We discussed using the IP or the session_id, and I chose the IP at the time. If ISPs out there really change a user's IP with each page load (that seems awfully ugly to me, but whatever), then something needs to change in our code. Is there ever a time where the session_id may change from page to page (ie, what if cookies are disabled in the browser, and the server isn't configured to embed session ID's in the URL?) The attached patch is all it would take to switch from IP's to Session ID's. Alternatively you could just remove the IP/session_id and form validation would still offer protection from spammers. -Jeremy