On Sun, 2 Oct 2005 14:36:39 +0200 Adrian Rossouw <adrian@bryght.com> wrote:
On 02 Oct 2005, at 2:22 PM, Jeremy Andrews wrote:
Yes. The best solution I have come up with is to track token use, preventing token re-use. I had a nearly working patch a while ago (it tracked the last n-used tokens), but ran out of time. It had some issues telling previews and submits apart, as well as with handling followup edits. When it becomes necessary, I will surely dust it off again.
Why not add a count variable to the token generation, and have a db table / variable keeping track of how many times you have used the token (ie: successful submission).
There is some confusion introduced from the fact that it is perfectly legitimate to "preview" a comment as many times as you like - so the forms logic would have to know the difference. It's also legitimate to "submit" a comment multiple times as there maybe errors that have to be fixed - that's a little more difficult to work around. Finally, it can also be legitimate to "edit" a comment many times. In all of these cases, the same token is used. A simpler solution I just thought of would require the introduction of a three column table: token, type, id The token column holds the token. The type column is a text string holding the content type (ie, comment, node, etc...) The id column holds the uniqe id for that form (ie, the cid, the nid, etc...) Insert the token/type/id combo when generating the token, but be sure the token hasn't been used with another id for that data type. This avoids all the problems described above, and would prevent token re-use by comment spammers. The only problem is that this solution doesn't work for forms that don't have unique id's, such as the contact form. Perhaps that's okay. (You could have an 'id' of 0 in such cases.) -Jeremy