Anti spam honey pot

Greet addon! Some bots can get through the CSRF protection in some way, so this is a nice extra security for bots. I had some issues with our excluded CSRF URIs so I fix this by adding the following core code to the function honey_pot_verify in MY_Security.php:

PHP Code:

// Check if URI has been whitelisted from CSRF checks
if ($exclude_uris = config_item('csrf_exclude_uris'))
{
    $uri = load_class('URI', 'core');
    foreach ($exclude_uris as $excluded)
    {
        if (preg_match('#^'.$excluded.'$#i'.(UTF8_ENABLED ? 'u' : ''), $uri->uri_string()))
        {
            return $this;
        }
    }
} 


So this is new function code:

PHP Code:

public function honey_pot_verify()
{
    // If it's not a POST request, set the honey pot and return
    if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') {
        return $this->_spam_protection_set_honey_pot();
    }
    
    // Check if URI has been whitelisted from CSRF checks
    if ($exclude_uris = config_item('csrf_exclude_uris'))
    {
        $uri = load_class('URI', 'core');
        foreach ($exclude_uris as $excluded)
        {
            if (preg_match('#^'.$excluded.'$#i'.(UTF8_ENABLED ? 'u' : ''), $uri->uri_string()))
            {
                return $this;
            }
        }
    }

    // It's a post, get the stored token name to use with the available $_POST data
    $this->_honey_pot_token_name = $_COOKIE[$this->_honey_pot_name];
    
    // Do the tokens exist in the _POST
    if (!isset($_POST[$this->_honey_pot_token_name]) OR strlen($_POST[$this->_honey_pot_token_name]) > 0) // Is the honey pot empty?
    {
        // Log a clear error, but don't print clear honey pot errors to screen
        log_message('error', 'The honey pot was invalid OR not empty!');
        $this->csrf_show_error();
    }
    
    // We kill this since we're done and we don't want to polute the _POST array
    unset($_POST[$this->_honey_pot_token_name]);
    
    // Nothing should last forever
    unset($_COOKIE[$this->_honey_pot_name]);
    $this->_honey_pot_token_name = NULL;

    $this->_spam_protection_set_honey_pot();
    
    log_message('info', 'Honey pot verified');
    return $this;
} 


Hey @Martin7483,

i copy and paste your honey pot code to my project.
Now How can i test whether its working on my project or not?

Thanks in advance

Hi @ardavan,

You can test it by filling in some value in the hidden input field using the browser developers tool like in Google Chrome by pressing F12 and then sent the form.

Hi,

Thanks for the update. Sorry for the late reply

Been very busy with work and family stuff. But will be here more from now on

It has been a while, but I have recently come a cross an issue with the honey pot.

I never created an expire time for the token.

Update the ./config/config.php file and add

PHP Code:

$config['honey_pot_expire'] = 3600; 


Update the ./core/MY_Security.php file and add the following lines

PHP Code:

protected $_honey_pot_expire; // The time the token remains valid for. Default is 1 hour
...
...

public function __construct() {
   ...
   ...
   $this->_honey_pot_expire = config_item('honey_pot_expire');
}

/**
 * Honey pot Set Cookie
 *
 * @return CI_Security
 */
public function honey_pot_set_cookie() {
 
    $expire = time() + $this->_honey_pot_expire;
    ...
    ...
} 


The code provided in the OP has also been updated

Can we use $config['honey_pot_exclude_uris'] like the CSRF exclude URI?

I really need this exclusion cause I need the honey pot for just some url but not the whole website which currently, it checks the honey pot for all urls.