Auxiliary snippets: setSecurityToken
The setSecurityToken snippet is called at the end of pubkit.record.inc.php. It generates a random token value, and stores it in a placeholder called [+smersh+], and also as a value in the $_SESSION array. You use this to check that form entries are from your own site - if the values of [+smersh+] and $_SESSION['smersh'] are not equal, the form was created elsewhere.
As of version E1.0, the snippet is only called when &secureForm=`1` is set. You can also choose your own name for the token using &token. The default is 'smersh' [смерть шпионам, death to spies, here it's death to spammers]
The snippet also generates placeholders for timestamp values you can use to check that forms are not being filled in more quickly than humanly possible, or too slowly, possibly because it's a robot form-filler (based on analysis of logs: sometimes automated form-fillers send out a scout one day, then fill in forms from several different IP addresses some time later). Default values are 10 seconds and 10 minutes. Be aware, however, that some legitimate visitors will paste in ready-made content quickly, or have a cup of coffee between calling up a form and submitting it.
// setSecurityToken
// kp Nov 2011
// security token and time threshold placeholders for forms
// &minTime, &maxTime = least, most time in seconds to fill in form
// &token = name of security token (default: smersh)
// compare [+smersh+] and $_SESSION['smersh'] on submit to check for spoofing
$minTime = (isset($minTime)) ? $minTime : 10;
$maxTime = (isset($maxTime)) ? $maxTime : 600;
$token = (isset($token)) ? $token : 'smersh';
$smersh = md5(uniqid(rand(), true));
$_SESSION[$token] = $smersh;
$modx->setPlaceholder($token, $smersh);
$modx->setPlaceholder('minTime', time() + $min);
$modx->setPlaceholder('maxTime', time() + $max);
return;
?>