Maybe one approach would be to have an AJAX call dynamically generate a
math test when a user clicks on a "submit comment" link
so the page before user clicks could be cached like this:
comment (textarea)
url (input box)
email (input box)
<DIV id='bot_filter'>
"submit comment" (link)
</DIV>
when user clicks the link, via ajax call to a jsp, the submit comment
link in the <DIV> is replaced by:
math question (input box)
math_question_id (hidden field)
submit comment (button)
-John
Matt Raible wrote:
On 1/3/06, Allen Gilliland <[EMAIL PROTECTED]> wrote:
team,
just before the holidays, Dave and I discovered a rather unfortunate bug
created by the way the current comment authenticators work coupled with
how our page caching works. basically, because the comment
authenticators actually embed their html in the page at rendering time
the comment authentication cannot work on a cached page because the page
will display an old and false cached version of the authenticator html.
the problem has technically existed for quite a long time, however it
wasn't noticed because in the past we used to have the old /comments/*
urls and we also didn't have the option of a non-expiring cache. now
that we allow any page to potentially be cached for a long time we need
a way to allow the comment authentication to remain dynamic.
my initial thoughts are to use a little AJAX that will call back to a
servlet and ask how to authenticate. i don't have a proposal yet, but i
figured i'd ask around first and see if anyone has any other ideas of
how to tackle this.
Doing this with Ajax should be easy enough - the question is how
secure will it be. If it's JavaScript that can be called, what's to
stop spammers from calling the same methods?
Matt
jira issue is open here ...
http://opensource2.atlassian.com/projects/roller/browse/ROL-935
-- Allen
