- πΊπΈUnited States tr Cascadia
Implement an "advanced" server-side validation for the field.
The field should have the user session ID as a value which is checked on the server via a table to make sure that the form cannot be submitted with just any value or empty.
The purpose of this improvement is to extend the security of a hidden field to a specific-value-per-user check which can make it harder for spammers to get past your honeypot.
Caching can be a problem if the field value gets cached and used by multiple users, so the page caching should be disabled if server-side validation is enabled.
One should be able to switch on/off the server-side validation, since some people might be more with performance than security (cached form pages vs. non-cached form pages) ruled out, since caching is disabled by default in honeypot.
Extend the honeypot_add_form_protection function to add the session_id to the field, add a token field, save the value on a table, and use another validation function _honeypot_advanced_validate to validate the value of the field against the token being used which should be saved in the table.
The token gets invalidated when the form is successfully submitted. The records are deleted with cron jobs using the same expiration time than the log records.
Needs work
2.2
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.