Honeypot Filter

[lonnieezell]

Something like: https://github.com/CHH/stack-honeypot

[arma7x]

How about this implementation http://forum.codeigniter.com/thread-63141.html

[InsiteFX]

We do not need to start bloating CI4 with third party add-on stuff.

[lonnieezell]

My thought was that this would replace the ineffective CAPTCHA system we have with something that, as far as I know, is still seen as being fairly effective at stopping bots. And, with filters now in the system, it can be automated so the user never has to think about it.

[arma7x]

I read simple explanation here. And have try 2 method of implementation,

• 1. Extend security class but need form helper to insert honey pot field into form then filter is done like CSRF. My reference http://forum.codeigniter.com/thread-63141.html
• 2. Apply directly to filter, before() to validate honey pot and after() to append honey pot at the end of any form field. But using preg_replace() to add honey pot into getBody() output really pain task, what I do is replace by adding honey pot before closed form.

$prep_field = '<div class="hidden" style="display: none;"><input type="hidden" name="'.$this->inputName.'" value="'.$this->inputValue.'" style="display:none;" /></div></form>';
$body = preg_replace('/<\/form>/', $prep_field, $body);

[aanbar]

As I understand this cannot replace captcha; this is a method to protect against general purpose spam bots & won't be effective if the bot was written for a specific site.

Anyway, I don't like the idea of having useless form fields in every single form I have so adding it automatically & checking for it automatically may not be convenient for everybody.

How it works:

• You create a div & add an empty text field and add a class to hide that form field from normal users.
• You check that the honeypot field which is required to be empty is actually empty upon form submission.

If I understand how it works correctly then here's my suggestion on how to implement this:

• Add a function in form_helper -- form_honeypot(string $name)
• either add a function in form_helper like check_honeypot(string $name): bool which returns boolean true when empty or false when it's filled & let the user handle it inside controller
• Or add a validation rule in form_validation like 'honeypot_field' which would give a generic error message like (Failed to validate form) without giving hints on what's wrong

We might have both options implemented & let the user chose what he wants.
This require adding a user guide on how to use this

[lonnieezell]

Anyway, I don't like the idea of having useless form fields in every single form I have so adding it automatically & checking for it automatically may not be convenient for everybody.

Which is why it would be setup as a filter that users could decide to use or not.

You're how it works section describes the original version. Improvements have been made to the theories that improve it's effectiveness, including randomizing where in the form it's placed, taking the name of an existing form-field, hashing the other on the form, and then putting them back on the way back in, time restrictions, etc. With the newer methods, they seem to be better than many, if not most, captcha's, and leaps above what CI3 provides.

But the newer methods also work best as a filter/middleware so that it can analyze the built form during output and insert/modify the field names, etc, and then put things back and do it's check on the way in.

[ranjithsiji]

This is a fantastic feature. A must to be included in Codeigniter. Better than CSRF I think. 👍 @aanbar I think you are right. the implementation must have more options. the field may contain some value or a blank.

having useless form fields in every single form I have so adding it automatically & checking for it automatically may not be convenient for everybody.

Yes you are right. But there is always an option to disable this honey pot and it is off by default. If someone wants then just enable honey pot and use it.

I think using this we can raise the security level of Codeigniter by including this feature.

[dvdnwoke]

This is a nice feature is anyone working it currently?

[lonnieezell]

I have made a start on it, but have not gotten very far. If you want to tackle it - that works for me! :)

[dvdnwoke]

The theory i have is adding it as middleware, so that on every request the honeypot field can be checked and redirected to blank page if the fields is not empty and possibility to randomize the field names.

[lonnieezell]

@dvdnwoke That's exactly correct. Though CI4 doesn't have "middleware" by that name. You would use Controller Filters the same way.

[dvdnwoke]

Ok I will implement it over the weekend

[lonnieezell]

Great. I look forward to it!

[dvdnwoke]

@lonnieezell
This is what i was able to come up with any suggestion or improvement before sending it as pull request

use CodeIgniter\Filters\FilterInterface;
use CodeIgniter\HTTP\RequestInterface;
use CodeIgniter\HTTP\ResponseInterface;

class Honeypot implements FilterInterface {

    /**
	 * Checks if Honeypot field is empty, if so
     * then the requester is a bot,show a blank
     * page
	 *
	 * @param RequestInterface|\CodeIgniter\HTTP\IncomingRequest $request
	 *
	 * @return mixed
	 */

    public function before (RequestInterface $request) {

        // **Will there be need to protect against bad data**
        if($request->getVar('honeypot')){
            die();
            //**Is Redirection needed**
        }

        
    }

    /**
	 * Checks if Honeypot field is empty, if so
     * then the requester is a bot,show a blank
     * page
	 *
	 * @param RequestInterface|\CodeIgniter\HTTP\IncomingRequest $request
	 * @param ResponseInterface|\CodeIgniter\HTTP\Response $response
	 * @return mixed
	 */

    public function after (RequestInterface $request, ResponseInterface $response) {
        
        $prep_field = '
            <div class="hidden" style="display:none">
                <label>Fill This Trap</label>
                <input type="hidden" name="honeypot" value=""/>
            </div>
            </form>';
        
        $body = $response->getBody();
        $body = preg_replace('/<\/form>/', $prep_field, $body);
        $response->setBody($body);
    }
}

[lonnieezell]

@dvdnwoke That's a good start. Here's a few comments:

• make the name, label, etc set through a config file so users can easily change it per app. See this class. Oh - and make the base HTML part a template string that can be defined in the config file, also, so user can make it look structurally like the rest of their site if they need to.
• move the logic to a new class. A simple implementation like you've started here is fine, but somewhere down the road we'll want to make it more robust and more effective. Good ideas here.
• don't forget docs and tests. :)

Then go ahead an submit a PR and we can go from there.

Thanks!