Does using CSRF form tokens help spam prevention?

Question

I am trying to stop bots from (potentially) submitting fake data to my php registration file. I am creating a site that uses a signup/login system and I want to add email verification which I am capable of. However the problem is my webhost only allows x amount of emails per minute, if a bot were to spam this not only will my database be filled with spam accounts but I will also be suspended for breaking the email limit.

I have been reading up about securing forms and CSRF came up, a term I am not familiar with.

This is my current understanding of the 'token method' of CSRF prevention;

• When the page containing the form is loaded create a token. Store the token in a SESSION or cookie.

• When the PHP file that handles the registration is run, it will check for the token. If the one submitted in the form doesn't match (or if the token isn't set in SESSION) the request is spam.

I don't understand why the bot can't simply get the token from the HTML form and submit it. I understand it changes every time, can it not just grab it each time?

I assume the bot would just submit the data using CurL or something of the sort to bypass the need to actually submit the HTML form and instead send the data straight to the PHP file.

My question is essentially, why and how does this method prevent against bots submitting my registration form (or any form for that matter).

Answer 1

Does using CSRF form tokens help spam prevention?

Somewhat, yes. Not by design, but because it makes the amount of work involved in writing a bot slightly higher, and bot writers are lazy.

I don't understand why the bot can't simply get the token from the HTML form and submit it

Sure, a bot that is written specifically to target your signup form will do that. And a bot that is implemented as headless web browser will do it automatically just because that's what a real browser would do.

The bots you will stop by having a CSRF token are the stupider bots, the ones that just pour junk into every form action URL their scrapers find, submit, and run away without even looking to see what the response was. Comment spammers are often this dumb.

Answer 2

My question is essentially, why and how does this method prevent against bots submitting my registration form (or any form for that matter).

It doesn't.

CSRF stands for "Cross-Site Request Forgery" and such tokens help prevent exactly that - a user being tricked into submitting a form from another site to yours, which has nothing to do with spam.

For spam prevention, you should be using a CAPTCHA challenge of some sort.

Answer 3

CSRF stands for Cross Site Request Forgery this is NOT a method to prevent a robot from submitting forms, this is a means to prevent additional browser tabs from submitted data to an existing session on another tab.

Take Facebook, most people are always signed in if another tab could submit a status update on your wall simply by sending a string to the end point, you're already signed in so it gets authorised and posted.

Where as CSRF prevents tabs from doing this because there is NO way they can collect your token from an existing tab. The token only needs to be generated once per session and be unique for each session (although frequently changing it makes it more secure).

You need to use a CAPTCHA.