Honeytime Guard
The honeytime guard uses a hidden form field to determine if the form was submitted by a bot. The form field contains an encrypted timestamp that cannot be forged by bots. When the form is submitted, the timestamp is checked against the current time. If the form was submitted too quickly, it is rejected.
This guard requires an encryption key. You can generate a new encryption key with the following command: head -c 32 /dev/urandom | base64
. Then set this key with a base64:
prefix in your site/config/config.php
file. Example:
return [
'uniform.honeytime.key' => 'base64:m9pAO+r/7SbyT0lfWTYM4+iV9BwZiT3ouxBurDoNAXs=',
];
The special form field can be added to a form with the honeytime_field
helper function like this:
<form action="<?php echo $page->url() ?>" method="POST">
<!-- ... -->
<?php echo honeytime_field(c::get('uniform.honeytime.key')); ?>
<!-- ... -->
</form>
When you use the honeytime guard in the controller, you also have to specify the key:
$form->honeytimeGuard([
'key' => c::get('uniform.honeytime.key'),
]);
You can also configure another field name like this:
Controller:
$form->honeytimeGuard([
'key' => c::get('uniform.honeytime.key'),
'field' => 'url',
]);
Template:
<?php echo honeytime_field(c::get('uniform.honeytime.key'). 'url'); ?>
The honeytime field value will not be available in actions even if you explicitly defined it in the constructor array of validation rules of the Form
class (which you don't have to).
Options
key (required)
The encryption key. You can generate one with the command head -c 32 /dev/urandom | base64
and then append a base64:
prefix.
seconds
If the form is submitted faster than this time, it will be rejected.
Default: 10
field
Name of the form field to use as a honeytime.
Default: 'uniform-honeytime'