Welcome Guest, Not a member yet? Register   Sign In
Anti spam honey pot
#11

Greet addon! Some bots can get through the CSRF protection in some way, so this is a nice extra security for bots. I had some issues with our excluded CSRF URIs so I fix this by adding the following core code to the function honey_pot_verify in MY_Security.php:

PHP Code:
// Check if URI has been whitelisted from CSRF checks
if ($exclude_uris config_item('csrf_exclude_uris'))
{
    
$uri load_class('URI''core');
    foreach (
$exclude_uris as $excluded)
    {
        if (
preg_match('#^'.$excluded.'$#i'.(UTF8_ENABLED 'u' ''), $uri->uri_string()))
        {
            return 
$this;
        }
    }


So this is new function code:

PHP Code:
public function honey_pot_verify()
{
    
// If it's not a POST request, set the honey pot and return
    
if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') {
        return 
$this->_spam_protection_set_honey_pot();
    }
    
    
// Check if URI has been whitelisted from CSRF checks
    
if ($exclude_uris config_item('csrf_exclude_uris'))
    {
        
$uri load_class('URI''core');
        foreach (
$exclude_uris as $excluded)
        {
            if (
preg_match('#^'.$excluded.'$#i'.(UTF8_ENABLED 'u' ''), $uri->uri_string()))
            {
                return 
$this;
            }
        }
    }

    
// It's a post, get the stored token name to use with the available $_POST data
    
$this->_honey_pot_token_name $_COOKIE[$this->_honey_pot_name];
    
    
// Do the tokens exist in the _POST
    
if (!isset($_POST[$this->_honey_pot_token_name]) OR strlen($_POST[$this->_honey_pot_token_name]) > 0// Is the honey pot empty?
    
{
        
// Log a clear error, but don't print clear honey pot errors to screen
        
log_message('error''The honey pot was invalid OR not empty!');
        
$this->csrf_show_error();
    }
    
    
// We kill this since we're done and we don't want to polute the _POST array
    
unset($_POST[$this->_honey_pot_token_name]);
    
    
// Nothing should last forever
    
unset($_COOKIE[$this->_honey_pot_name]);
    
$this->_honey_pot_token_name NULL;

    
$this->_spam_protection_set_honey_pot();
    
    
log_message('info''Honey pot verified');
    return 
$this;

Reply
#12

(02-29-2016, 05:35 AM)ardavan Wrote: Hey @Martin7483,

i copy and paste your honey pot code to my project.
Now How can i test whether its working on my project or not?

Thanks in advance

Hi @ardavan,

You can test it by filling in some value in the hidden input field using the browser developers tool like in Google Chrome by pressing F12 and then sent the form.
Reply
#13

Hi,

Thanks for the update. Sorry for the late reply Sad

Been very busy with work and family stuff. But will be here more from now on Smile
Reply
#14

It has been a while, but I have recently come a cross an issue with the honey pot.

I never created an expire time for the token.

Update the ./config/config.php file and add
PHP Code:
$config['honey_pot_expire'] = 3600

Update the ./core/MY_Security.php file and add the following lines
PHP Code:
protected $_honey_pot_expire// The time the token remains valid for. Default is 1 hour
...
...

public function 
__construct() {
   ...
   ...
   $this->_honey_pot_expire config_item('honey_pot_expire');
}

/**
 * Honey pot Set Cookie
 *
 * @return CI_Security
 */
public function honey_pot_set_cookie() {
 
 
   $expire time() + $this->_honey_pot_expire;
 
   ...
 
   ...


The code provided in the OP has also been updated
Reply
#15

Can we use $config['honey_pot_exclude_uris'] like the CSRF exclude URI?

I really need this exclusion cause I need the honey pot for just some url but not the whole website which currently, it checks the honey pot for all urls.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB