[drupal-devel] simple and effective comment spam prevention
exists and works
Jeremy Andrews
jeremy at kerneltrap.org
Mon Oct 3 14:22:56 UTC 2005
On Mon, 3 Oct 2005 16:10:10 +0200
Adrian Rossouw <adrian at bryght.com> wrote:
> > If I load the form twice, does it have a different id each
> > time? How about if two different people load the form?
>
> Every time you submit the form, it will be different on
> subsequent reloads.
>
> Every person will have a different token, due to the
> session id being part of
> it.
However, as the session id is stored on the client, it can be
controlled by the spammer. Thus, a spammer could simply use
the same session_id to submit the same form with different
data. We have to allow multiple submits from the same
session_id to handle previews and submits with errors...
-Jeremy
More information about the drupal-devel
mailing list