Well, you wouldn't disregard the formdata, you could simply show the
form again with a message that the captcha should be solved again
similar to a validation mistake. Additionally you could only show the
captcha the users scrolls it into view through ajax, preventing
timeouts to happen on long forms as is fairly common nowadays.
David
On woensdag 14 maart 2012 21:20:54, Jeff Lucido wrote:
Aaron:
Have you thought of trying to use a timestamp value when you create
your hash? Specifically, how about using the current timestamp along
with some other string when creating your key for your hash. Hash the
captcha text and append the timestamp value (or pass it as a separate
hidden form field value). This way when you get to the server you can
see how long it has been since the timestamp was created. If it falls
outside of some set time period (say 20 minutes) then disregard the
entire form post data no matter if the person got the captcha correct.
Just a quick thought that may be of some help. I can elaborate more if
you are interested.
Regards,
-JSLucido
On Wed, Mar 14, 2012 at 11:02 AM, Aaron J. White<[email protected]> wrote:
Hey Guys,
Assuming you are not using sessions. If you have a captcha on a html
form like the one mentioned by Stan in the conversation here (using a
hashed value in a hidden input):
https://groups.google.com/group/openbd/browse_thread/thread/67659903b6048510/9c8d27e798a82f5d?lnk=gst&q=captcha#9c8d27e798a82f5d
What stops a malicious person from saving your form as a .htm file on
their computer and submit the same form every time? Your action page
is just looking to see if hash(user_answer) EQ prehashed_answer. It
doesn't care if the same value has been submitted a thousand times or
where it comes from. Originally I thought Stan's answer was great and
I was thinking about implementing it in a production environment
instead of sessions, but a coworker brought this point up to me and I
didn't have an answer.
The only solution I could think of is somehow adding an encrypted
timestamp to the form, but that may not be any better.
I can easily implement sessions if it's the only way. However,
anonymous sessions for a few simple forms on a public facing site seem
like overkill to me.
Anyone have experience implementing a captcha without sessions?
Suggestions?
Thanks!
--
online documentation: http://openbd.org/manual/
google+ hints/tips: https://plus.google.com/115990347459711259462
http://groups.google.com/group/openbd?hl=en
--
online documentation: http://openbd.org/manual/
google+ hints/tips: https://plus.google.com/115990347459711259462
http://groups.google.com/group/openbd?hl=en
