Hi. I was just playing around with my installation of Roller. I was using my wife's machine and I was trying to comment on a blog entry. However, I didn't see the "Please answer this simple math question" show up on the page. I use a Javascript blocking toolbar in Firefox, and I hadn't enabled Javascript for the site that Roller was running on. When I enabled it, the field with the math question appeared in the page.
I'm just curious to why Roller needs to use Javascript for this? I guess it's to avoid generating the numbers in the HTML, which would make it easy for bots to parse. But this could still be bypassed by a bot if the page is processed by a library that could execute the Javascript code. In general, I consider Javascript being a real annoyance. Not only is it insecure, it's also very unpredictable as to how it's implemented in various browsers. There are some sites that I use that require Javascript to function, and I reluctantly allow it for those sites, but I really don't see it being necessary for most sites. As for the math question, I guess there's some kind of cookie associated with it so that you can verify that the response is for a certain challenge. Why couldn't this be done by just passing cookies in the HTTP header like most session cookies are handled? I'd like to suggest using JCaptcha (jcaptcha.sourceforge.net) instead of the math question. From a usability standpoint, I think this is better and much more intuitive, and doesn't require Javascript. The math question is very easy to miss, and it wasn't obvious to me the first time I visited a Roller blog that it was required to post a comment. Most people are used to CAPTCHA systems when they sign up for services at Yahoo, Google, AOL, and other large sites. I think it would be more obvious than the math question. The only caveat that I'm aware of with JCaptcha is that it uses Java imaging libraries that use the GraphicsContext class. This will sometimes cause Tomcat to crash on servers that are running "headless" unless the Java runtime environment has been told specifically that it is running headless. This can be done by passing -Dawt.headless=true to the JVM. Once that is done, JCaptcha works really nicely in a headless server environment. Just some thoughts. /Henrik
