tags:

views:

302

answers:

4
+2  Q: 

Prevent Form spam with the session

Hello,

I've already read most of the questions regarding techniques to prevent form spam, but none of them seem to suggest the use of the browser's session.

We have a form that sends an email to given email address and we didn't like the idea of using "captchas" or Javascript, as we wanted to keep the user journey simple and accessible to those without Javascript.

We would like to use the session object to help prevent form spam. Our webapp is developed on Weblogic Server 10 using Struts.

The solution being, when the form loads, it would set a variable in the session object. Once you click submit, we check if the session for the variable. No variable, redirect to the form. Variable exists send the email.

I would really appreciate any opinions/reasons why this might be a bad idea, so we can evaluate this solution against others.

Many thanks, Jonathan

A: 

Session objects can, depending on implementation, be relatively heavy in terms of resource usage, as well as somewhat slow. Additionally, the spammer, if they realize how you are blocking them, can simply start a new session every time they hit the form by not sending back the session cookie.

So, because that technique relies on the client to behave nicely, and the expected behavior is fairly easy to prevent, it is possibly less useful than some other ways to solve the problem.

cdeszaq  2009-05-05 16:25:42
A: 

Thank you for your reply cdeszaq, but I'm not sure if you mis-understood my question.

For the form submission to complete successfully, clients will be forced to load the form to set up the session object correctly. Only when the session is in the correct state, will it be possible to send an email.

If the spammer is not sending back the session cookie, then they will not be able to spam my form as they haven't gone to my form page that creates the right session.

I agree that using the session object would create extra resource. Our implementation would simply, (using JSP) call session.setAttribute("formLoaded", true); and in my Struts action I would simply use session.getAttribute("formLoaded"); to check.

Jonathan  2009-05-05 16:40:18
Right, so then the same system can be used with a 2 page-load setup to spam...hit the form to get the session, and then send the spam. Repeat this and you have an easy way to spam around this method.
cdeszaq  2009-05-05 16:52:17
+1  A: 

There is nothing to prevent a spammer from automating the process of downloading your form (thus generating the cookie) and submitting it. It may impose a slight burden on the spammer, but a trivial one.

As an example, a form can be easily downloaded and submitted, with cookies preserved, using a command-line tool such as cURL. This can then be run from a script repeatedly.

JacobM  2009-05-05 17:03:46
A: 

I wonder if this might work:

  1. Each time you render page/form, create a random bit of text
  2. Put that text in the session
  3. Include that text as a hidden field in the form
  4. User submits the form
  5. Action compares the hidden text to the value in the session - if there's a match, send the email

Since a hacker wouldn't be able to put any random value in the session, they wouldn't be able to spam. Right?

Glen  2009-05-05 17:18:39
They could just submit the form, filling in the spam as they want to, and include all hidden field values.
cdeszaq  2009-05-05 17:21:53
I thought the original problem was this: a spam program might submit to an action without using the form. In my scenario, this is not possible; the form must be displayed first, and the correct random String placed in the subsequent submission to the action. The "2 page-load" approach you mention would circumvent this, if that random String were scraped off the form page. But perhaps, like the "orange" captcha method, it would be enough for the purposes of the original question asker.
Glen  2009-05-05 18:49:48
If the problem is submission without using the form, than the original poster's solution (relying on the session cookie) would work, as would yours. I don't know how common it is for form-spam software (I assume there is such a thing) to load the form first, but given that it would be trivial to implement, I would assume that a solution that depends on NOT loading the form first will not be terribly useful. (The "orange" captcha works because a spammer would have to target the software to the particular site. That wouldn't be necessary in this instance.)
JacobM  2009-05-05 19:34:17

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java