[drupal-devel] simple and effective comment spam prevention exists and works

Jeremy Andrews jeremy at kerneltrap.org
Mon Oct 3 14:22:56 UTC 2005


On Mon, 3 Oct 2005 16:10:10 +0200
Adrian Rossouw <adrian at bryght.com> wrote:

> > If I load the form twice, does it have a different id each
> > time?  How about if two different people load the form?
>
> Every time you submit the form, it will be different on
> subsequent reloads.
>
> Every person will have a different token, due to the
> session id being part of
> it.

However, as the session id is stored on the client, it can be
controlled by the spammer.  Thus, a spammer could simply use
the same session_id to submit the same form with different
data.  We have to allow multiple submits from the same
session_id to handle previews and submits with errors...

-Jeremy



More information about the drupal-devel mailing list