> Yes, but if that hidden form field is generated automatically and is
> truly unique per user, what harm is there?
The spider can read the string and post what ever it wants to your form
for that request and keep doing it over and over and over again.
Couldn't a spider just as
> easily pick up a session var?
Now this is where I'm not 100% sure. I have been doing some research and
as far as I can tell it can not. I'm open to be proven wrong.
After all, it has to hit the first page
> to "read" the image and then post, so it could do so in the same
> session.
That is only usefull if a spider can read the session. It would not even
have to worry about the image if it could read the session. It could
however decode your image and try and figure it out from there. But most
of the time, nobody is going to spend that much time. Nothing is 100%
but you make it as difficult as possible.
>
> Another good thing might be to push all of your images down using
> <cfcontent> so that they all appear as "image.gif" and then it will be
> harder to map an image to a correct response.
Either way, the only way it would matter is if the spider could read the
session. If it can it doesn't have to worry about the image.
However, the tax on the
> server of creating dynamic images for every request seems absurd.
You know how many IO operations happen in CFMX during a request? A lot,
it really isn't any more taxing that displaying the image itself. For
most sites, it would not even be noticable. And if it becomes, you just
upgrade the server.
[Todays Threads] [This Message] [Subscription] [Fast Unsubscribe] [User Settings] [Donations and Support]
