What I’ve done in the past and seems to work, is generate a unique id on the serverside (hashing Time.now for example), then putting that in a session variable and injecting it through a javascript function in a field. This won’t work on browsers with JS turned off, but it’s pretty good protection and the user doesn’t need to know about it (i.e. your actually filling in the captcha yourself through JavaScript).
Pseudo code:
Controller show_registration_page:
@unique_id = hash_value(Time.now)
session[:form_validator] = @unique_id
View:
— your other form fields here —
Controller save_registration:
if params[:validator_field] == session[:form_validator]
save_registration
else
show_message_turn_js_on_or_stop_trying_to_spam_me
end
Pretty easy to implement and no complaints about spamming.
Best regards
Peter De Berdt
