Aaron: Have you thought of trying to use a timestamp value when you create your hash? Specifically, how about using the current timestamp along with some other string when creating your key for your hash. Hash the captcha text and append the timestamp value (or pass it as a separate hidden form field value). This way when you get to the server you can see how long it has been since the timestamp was created. If it falls outside of some set time period (say 20 minutes) then disregard the entire form post data no matter if the person got the captcha correct.
Just a quick thought that may be of some help. I can elaborate more if you are interested. Regards, -JSLucido On Wed, Mar 14, 2012 at 11:02 AM, Aaron J. White <[email protected]> wrote: > Hey Guys, > > Assuming you are not using sessions. If you have a captcha on a html > form like the one mentioned by Stan in the conversation here (using a > hashed value in a hidden input): > https://groups.google.com/group/openbd/browse_thread/thread/67659903b6048510/9c8d27e798a82f5d?lnk=gst&q=captcha#9c8d27e798a82f5d > > What stops a malicious person from saving your form as a .htm file on > their computer and submit the same form every time? Your action page > is just looking to see if hash(user_answer) EQ prehashed_answer. It > doesn't care if the same value has been submitted a thousand times or > where it comes from. Originally I thought Stan's answer was great and > I was thinking about implementing it in a production environment > instead of sessions, but a coworker brought this point up to me and I > didn't have an answer. > The only solution I could think of is somehow adding an encrypted > timestamp to the form, but that may not be any better. > > I can easily implement sessions if it's the only way. However, > anonymous sessions for a few simple forms on a public facing site seem > like overkill to me. > Anyone have experience implementing a captcha without sessions? > Suggestions? > > Thanks! > > -- > online documentation: http://openbd.org/manual/ > google+ hints/tips: https://plus.google.com/115990347459711259462 > http://groups.google.com/group/openbd?hl=en -- online documentation: http://openbd.org/manual/ google+ hints/tips: https://plus.google.com/115990347459711259462 http://groups.google.com/group/openbd?hl=en
