On Fri, Jun 15, 2007 at 09:55:30AM +0200, Martin Winkler wrote: > > Am Thu, 14 Jun 2007 15:51:10 -0400 > schrieb Forest Bond <[EMAIL PROTECTED]>: > > > You can do it without external persistence (sessions and/or database > > table) by encrypting the correct response in the image filename. > > So when the request to get the image is sent to django, we have to > decrypt the solution according to the image's URL. In my > opinion that raises some problems, because it could be decrypted by > someone else too, unless you use a private/public key encryption, > which means more work on the django server than using just hashed > filenames like my approach does.
If encrypting the answer in the image filename, the encryption scheme would have to be somewhat secure (or at least obscure enough to fool bots). I should think a simple symmetric algorithm using settings.SECRET_KEY. It needn't be a strong form of encryption, since the pay-off from breaking it hardly justifies even the smallest computation time (for the bot, that is). The simpler the algorithm, the lower you server load, too. Do note that it must be symmetric, since you need to be able to decrypt the answer. > Furthermore I don't see a real reason to generate images on the > fly instead of storing them directly. My approach is quite speedy even > with auto_cleanup, when there are many captcha images sitting in the > filesystem all the time. I ran an apache benchmark test on my > development machine (not the fastest hardware) multiple times where > each of them creating 1000 captchas: [...] Performance wasn't my primary concern. Writing images to the filesystem makes scalability more challenging and increases the potential for race conditions. I avoid it as a matter of principle whenever possible. Really, though, it's your code, do things however you want. My guess is that django.contrib apps need to be a little more flexible, though. It should be possible to use the app with or without filesystem writes (which are not an option for all sites). I'm also under the impression that the django core devs are generally not huge fans of Captcha systems, but I could be making that up. -Forest
signature.asc
Description: Digital signature
