Hey Guys, Assuming you are not using sessions. If you have a captcha on a html form like the one mentioned by Stan in the conversation here (using a hashed value in a hidden input): https://groups.google.com/group/openbd/browse_thread/thread/67659903b6048510/9c8d27e798a82f5d?lnk=gst&q=captcha#9c8d27e798a82f5d
What stops a malicious person from saving your form as a .htm file on their computer and submit the same form every time? Your action page is just looking to see if hash(user_answer) EQ prehashed_answer. It doesn't care if the same value has been submitted a thousand times or where it comes from. Originally I thought Stan's answer was great and I was thinking about implementing it in a production environment instead of sessions, but a coworker brought this point up to me and I didn't have an answer. The only solution I could think of is somehow adding an encrypted timestamp to the form, but that may not be any better. I can easily implement sessions if it's the only way. However, anonymous sessions for a few simple forms on a public facing site seem like overkill to me. Anyone have experience implementing a captcha without sessions? Suggestions? Thanks! -- online documentation: http://openbd.org/manual/ google+ hints/tips: https://plus.google.com/115990347459711259462 http://groups.google.com/group/openbd?hl=en
