forgive the continued OT-ness, it makes sense to just continue this
for another post or two here...
On Jun 6, 2006, at 5:10 AM, Kjetil Kjernsmo wrote:
a lot of good points
i agree 100% with everything you said. its awful for users, and its
awful for the server load - which is why i want to make it as modperl
as possible.
i'd rather not use images, but right now they're 'easiest' and expected.
i want to implement one captcha system, and then just have a modular
element handle how the challenge is presented...
i should have something usable for input within 18hours via Trac/SVN.
its a bit awkwardly laid out classwise, as i'm pretty much porting
from a half-finished python version and both langauges have very
different approaches to class inheritance.
i don't mean to use cheaply implemented / replaced / upgraded plugins
for image generation , but for all presentation formats. ie, you can
switch between different image outputs if your want... or between
jpeg/text-logic with a single line of code
basically the idea for use is this:
# build a new captcha
my $captcha= Captcha::NewCaptcha->new( sitesecret=>'a-z', seed=>'A-
Z' );
my $publickey= $captcha->generate(); # public key is used to
generate the captcha test
# validate the captcha
my $captcha= Captcha:: ExistingCaptcha->new( sitesecret=>'a-z',
seed=>'A-Z' );
if ( !$captch->validate( public_key=>$publickey , human_answer=>
$human_answer ) {
die "invalid key";
}
# generate the captcha using a factory pattern
my $captcha= Captcha:: ExistingCaptcha->new( sitesecret=>'a-z',
seed=>'A-Z' );
my $jpeg_data= $captcha->render( 'image' );
my $html_logic_field= $captcha->render( 'html_logic' );
my $wav_data= $captcha->render( 'sound' );
# i chose a factory dispatch instead of calling a variation directly,
because some captchas may have several versions called at once...
all of the output options are separate and modularized. ie:
Captcha::Img
Captcha::Sound
Captcha::Logic
but share the main Captcha interface and inheritance
captcha keys so far work like this
public_key= md5( sitesecret , seed , timenow );
question/answer = generate_pair( key ) ; # where a given key will
always return a specific pair
something presented to the user ( a text puzzle, a visual captcha, a
sound ) has embedded with it 'public_key' and 'timenow'
captcha.gif?public_key=2384u20983u4234&time=111110001
<input type="hidden" name="public_key" value="2384u20983u4234"/>
timenow is valid for ( cpu - 30s ) - ( cpu + 240s ) which is 30s in
the past and 4mins in the future
sitesecret is configured per-site, defaults to '' -- just to add a
minimal layer of security
seed is a session variable supplied by the calling program
this makes a GENERAL key that can provide a turing authentication
with a built in self-destruction time of 4.5mins (time can be
changed, but that should account for casual use of a computer plus a
cluster of machines that are out of sync and not running ntp )
to make things secure, keys SHOULD be checked into/outof a db -- but
that makes more sense to me in the calling program, not a generation/
validation module. i think a captcha system should just generate a
test and validate it. whether or not a test has been used before, or
if an ip has called for 300 tests in 10seconds, or if a test was
given to ipA and answered by ipB,C,D shouldn't be in the module. its
too user specific to put in there (i think) - or at least in the main
module.
in any event, thats my approach so far - i can implement most of it
right away with an image test that everyone will find annoying and
some will feel disfranchised by... but with a few lines in code I can
switch it to audio or text-logic as those parts get written.
( though its not as extensible as i'd like right now.. i'd like to
support multiple image rendering options).
//Jonathan Vanasco
|- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - -
| RoadSound.com / Indie-Rock.net
| Collaborative Online Management And Syndication Tools
|- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - -
