What's to stop the bot from grabbing the token from the home page and
using it in its attack? The token has to be something the
bot can't readily read, e.g., captcha.
Bill said:
"I have the ability to turn on form tokens on my forms, so to be able
to post to a form you have to first fetch the single-use token from
the form. That has been a big help with forms that send mail, but
also aids in preventing reposting of forms -- in addition to redirect
after post."
So obviously they work for him. Anything that has an effect without causing
accessibility problems for users has to be a good thing.
In any case, I was just suggesting a way he could still make his existing
token system work with a "static" page to save server resources.
Carl
_______________________________________________
List: [email protected]
Listinfo: http://lists.rawmode.org/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
