Hello

I will alter the input names for the registration- and login-forms today.

As far as I know, the login form doesn't us honey pots.

I will look into it. Thank you for the hint for now.

Are there further forms, where we need to alter the names?

The posting-form (at least for unregistered users) should be reworked, too.

Yes, you are right.

What do you think about hashing the field names? In template, we can use {$string|md5} and in PHP, we just use md5($string). MD5 is just an example (we can use every crypt/hash function) but MD5 is supported by smarty _and_ PHP. The benefit is, that the field names are still readable in the source code, i.e. $_POST[md5("email")] is more readable than $_POST['dkjhfhf324rkj'].

In general this would be a nice idea because it creates adequate shuffled strings. But this way we would hashing the same strings with the same results on every request again and again. Nothing I like. To hashing them once (today) and write the hashes hardcoded into the templates and scripts would prevent the hashing on every request but would also lower the readability of the code. Additionally the hashed but hardcoded field names are IMHO only an interim solution. IMHO its preferable to have different shuffled names on every request.

What's with generating the hash from the field name (for the readability of the code) and the CSRF-token that gets generated for every single of the affected forms? The token is known in the session, the token is known to the form and the smarty engine and it's also known to the script, that evaluates the form content.

# before generating the form (PHP code, can also be done with the Smarty engine)
$smarty->assign('new_user_name', md5("new_user_name" . $_SESSION['csrf_token']));
#after returning the forms input
$new_user_name = $_POST[md5("new_user_name" . $_SESSION['csrf_token'])];

Example works with MD5, but it can also be done with another algorithm.

Tschö, Auge