Hi All,
I am needing some help, in 2013 I created a website with an enquire form, sadly, recently ‘someone’ discovered by going backward and forwards in the browser he could just simple press the send button again and in that way send many emails with spam messages in it. Very annoying it is, I have added the visitor IP in the form and email being send to block the IP in question in the firewall, but it would be much better to reset the fields to empty if the form is sent, is there any easy way to do this? with easy I mean just add one row of code to the form.
even if you reset fields attacker can still use CURL or any other tool to spoof request, you should add some single use token for this action, i dont remember much about cake2 so you will have to look it up yourself.
Thanks, it seems really browser related, so I find it very difficult to find a good solution, the user just presses back in their browser and all fields are still filled, no matter what i do in cake.
This is due to the BFCache (Back-Forward Cache) that most modern browsers make use off.
when you hit the back/forward button, you don’t actually reload the page, you just load the cached version.
you could try this code to listen for this and reset the form values (requires jQuery, but you get my drift):
$(window).bind("pageshow", function() {
// clear your fields here
});
However, what you are dealing with can also be done by hitting F5, making your browser just send the request over and over.
Or, like @Graziel already said, use something like CURL that just sends requests over and over and over.
Luckily, the world has found a solution to this: a Captcha
Simply adding the visitor IP in the form (using a hidden field or something) won’t do it, as this can easily be spoofed as well (eg. by using a proxy/TOR or just changing the value in the POST request).
I’d highly recommend looking into Captchas for making it more difficult for spammers.