I do not believe I am using session at all. The only downside atm is if they fail the test, the page is rest. I just haven't coded in the non loss side of things.
this is called recaptha.cfm and I have it in > my document root/cfc folder <cfscript> CHALLENGE_URL = "http://api.recaptcha.net";; SSL_CHALLENGE_URL = "https://api-secure.recaptcha.net";; VERIFY_URL = "http://api-verify.recaptcha.net/verify";; </cfscript> <cfif not structKeyExists(attributes, "publicKey")> <cfthrow type="RECAPTCHA_ATTRIBUTE" message="recaptcha: required attribute 'publicKey' is missing"> </cfif> <cfif not structKeyExists(attributes, "privateKey")> <cfthrow type="RECAPTCHA_ATTRIBUTE" message="recaptcha: required attribute 'privateKey' is missing"> </cfif> <cftry> <cfparam name="attributes.action" default="render"> <cfif not listContains("render,check", attributes.action)> <cfset sInvalidAttr="action not render|check"> <cfthrow> </cfif> <cfset sInvalidAttr="ssl not true|false"> <cfparam name="attributes.ssl" type="boolean" default="false"> <cfparam name="attributes.theme" type="regex" pattern="(red|white|blackglass)" default="red"> <cfif not listContains("red,white,blackglass", attributes.theme)> <cfset sInvalidAttr="theme not red|white|blackglass"> <cfthrow> </cfif> <cfset sInvalidAttr="tabIndex not numeric"> <cfparam name="attributes.tabIndex" type="numeric" default="0"> <cfcatch type="any"> <cfthrow type="RECAPTCHA_ATTRIBUTE" message="recaptcha: attribute #sInvalidAttr#"> </cfcatch> </cftry> <cfif isDefined("form.recaptcha_challenge_field") and isDefined("form.recaptcha_response_field")> <cftry> <cfhttp url="#VERIFY_URL#" method="post" timeout="5" throwonerror="true"> <cfhttpparam type="formfield" name="privatekey" value="#attributes.privateKey#"> <cfhttpparam type="formfield" name="remoteip" value="#cgi.REMOTE_ADDR#"> <cfhttpparam type="formfield" name="challenge" value="#form.recaptcha_challenge_field#"> <cfhttpparam type="formfield" name="response" value="#form.recaptcha_response_field#"> </cfhttp> <cfcatch> <cfthrow type="RECAPTCHA_NO_SERVICE" message="recaptcha: unable to contact recaptcha verification service on url '#VERIFY_URL#'"> </cfcatch> </cftry> <cfset aResponse = listToArray(cfhttp.fileContent, chr(10))> <cfset form.recaptcha = aResponse[1]> <cfset structDelete(form, "recaptcha_challenge_field")> <cfset structDelete(form, "recaptcha_response_field")> <cfif aResponse[1] eq "false" and aResponse[2] neq "incorrect-captcha-sol"> <cfthrow type="RECAPTCHA_VERIFICATION_FAILURE" message="recaptcha: the verification service responded with error '#aResponse[2]#'. See http://recaptcha.net/apidocs/captcha/ for error meanings."> </cfif> <cfelse> <cfset form.recaptcha = "falsehaha" > </cfif> <cfif attributes.action eq "render"> <cfif attributes.ssl> <cfset challengeURL = SSL_CHALLENGE_URL> <cfelse> <cfset challengeURL = CHALLENGE_URL> </cfif> <cfoutput> <script type="text/javascript"> <!-- var RecaptchaOptions = { theme : '#attributes.theme#', tabindex : #attributes.tabIndex# }; //--> </script> <script type="text/javascript" src="#challengeURL#/challenge?k=#attributes.publicKey#"> </script> <noscript> <iframe src="#challengeURL#/noscript?k=#attributes.publicKey#" height="300" width="500" frameborder="0"></iframe><br> <textarea name="recaptcha_challenge_field" rows="3" cols="40"> </textarea> <input type="hidden" name="recaptcha_response_field" value="manual_challenge"> </noscript> </cfoutput> </cfif> <cfsetting enablecfoutputonly="false"> and this is the block of code I have onsite: <div class="captcha" style="float:left; padding-left: 36px;"> <cf_recaptcha privateKey="myKey" publicKey="myKey"> </div> ----- Original Message ----- From: "Aaron J. White" <[email protected]> To: "Open BlueDragon" <[email protected]> Sent: Wednesday, March 14, 2012 12:04:34 PM Subject: [OpenBD] Re: captcha without session Whoops. Try this link if the one above doesn't work. https://groups.google.com/group/openbd/browse_thread/thread/67659903b6048510/9c8d27e798a82f5d On Mar 14, 11:02 am, "Aaron J. White" <[email protected]> wrote: > Hey Guys, > > Assuming you are not using sessions. If you have a captcha on a html > form like the one mentioned by Stan in the conversation here (using a > hashed value in a hidden > input):https://groups.google.com/group/openbd/browse_thread/thread/67659903b... > > > What stops a malicious person from saving your form as a .htm file on > their computer and submit the same form every time? Your action page > is just looking to see if hash(user_answer) EQ prehashed_answer. It > doesn't care if the same value has been submitted a thousand times or > where it comes from. Originally I thought Stan's answer was great and > I was thinking about implementing it in a production environment > instead of sessions, but a coworker brought this point up to me and I > didn't have an answer. > The only solution I could think of is somehow adding an encrypted > timestamp to the form, but that may not be any better. > > I can easily implement sessions if it's the only way. However, > anonymous sessions for a few simple forms on a public facing site seem > like overkill to me. > Anyone have experience implementing a captcha without sessions? > Suggestions? > > Thanks! -- online documentation: http://openbd.org/manual/ google+ hints/tips: https://plus.google.com/115990347459711259462 http://groups.google.com/group/openbd?hl=en -- online documentation: http://openbd.org/manual/ google+ hints/tips: https://plus.google.com/115990347459711259462 http://groups.google.com/group/openbd?hl=en
