Click here to get back home

An unobtrusive partial alternative to CAPCHA
 HomeNewsGroups | Search | About
Login Password
Register Now!
 comp.infosystems.www.authoring.html    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
An unobtrusive partial alternative to CAPCHA Ben Bacarisse 05-08-2008
Posted by Jerry Stuckle on May 9, 2008, 1:32 pm
Please log in for more thread options
 Ben Bacarisse wrote:
>
>> Adrienne Boswell wrote:
>>> Gazing into my crystal ball I observed Ben Bacarisse
>>>
>>>> A while back I suggested a method of using timestamps to filter out at
>>>> least some automatic form postings.
> <snip>
>>> You could enhance it by placing the time into a db,
> <snip>
>> Or, better yet, in the session.
>
> See my reply to Adrienne Boswell. I don't think you gain much by
> using session data. There is no reason not to store the data in the
> session, but given the checks I make, I don't think it adds much.
>

Just one more layer of security - it isn't in the web page.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================


Posted by Chuck Anderson on May 9, 2008, 7:04 pm
Please log in for more thread options
 Jerry Stuckle wrote:
> Ben Bacarisse wrote:
>
>>
>>
>>> Adrienne Boswell wrote:
>>>
>>>> Gazing into my crystal ball I observed Ben Bacarisse
>>>>
>>>>
>>>>> A while back I suggested a method of using timestamps to filter out at
>>>>> least some automatic form postings.
>>>>>
>> <snip>
>>
>>>> You could enhance it by placing the time into a db,
>>>>
>> <snip>
>>
>>> Or, better yet, in the session.
>>>
>> See my reply to Adrienne Boswell. I don't think you gain much by
>> using session data. There is no reason not to store the data in the
>> session, but given the checks I make, I don't think it adds much.
>>
>>
>
> Just one more layer of security - it isn't in the web page.
>
>

With any use of sessions I always have to wonder; what about people who
have cookies disabled?

Do you insist they enable cookies, or go with the flawed trans_sid method?

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Nothing he's got he really needs
Twenty first century schizoid man.
***********************************


Posted by Jerry Stuckle on May 9, 2008, 8:46 pm
Please log in for more thread options
Chuck Anderson wrote:
> Jerry Stuckle wrote:
>> Ben Bacarisse wrote:
>>
>>>
>>>
>>>> Adrienne Boswell wrote:
>>>>
>>>>> Gazing into my crystal ball I observed Ben Bacarisse
>>>>>
>>>>>
>>>>>> A while back I suggested a method of using timestamps to filter
>>>>>> out at
>>>>>> least some automatic form postings.
>>>>>>
>>> <snip>
>>>
>>>>> You could enhance it by placing the time into a db,
>>>>>
>>> <snip>
>>>
>>>> Or, better yet, in the session.
>>>>
>>> See my reply to Adrienne Boswell. I don't think you gain much by
>>> using session data. There is no reason not to store the data in the
>>> session, but given the checks I make, I don't think it adds much.
>>>
>>>
>>
>> Just one more layer of security - it isn't in the web page.
>>
>>
>
> With any use of sessions I always have to wonder; what about people who
> have cookies disabled?
>
> Do you insist they enable cookies, or go with the flawed trans_sid method?
>

PHP will handle the session id through a get parameter. Others do
similarly.

But then, people who surf with cookies disabled are uses to sites which
don't work.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================


Posted by Ben Bacarisse on May 9, 2008, 1:18 pm
Please log in for more thread options

> Gazing into my crystal ball I observed Ben Bacarisse
>
>> A while back I suggested a method of using timestamps to filter out at
>> least some automatic form postings.
<snip>
>> Briefly, the current time is encoded in a hidden form field when the
>> page containing it is served. The script that processes the form
>> checks the (new) current time against that in the form and rejects the
>> submission if it is either too fast or too slow.
<snip>
>> Of course, the time stamp must be protected so that tampering could be
>> detected, although no examples of altered or missing timestamps showed
>> up in this test (which it hardly surprising, why would a bot alter
>> some mysterious hidden field?).
<snip>
> You could enhance it by placing the time into a db, and upon submission,
> compare the value in the db. Generate a unique identifier as a hidden
> field, and compare that to the one in the db with the time
> submitted.

I am not sure that would add anything. Currently, the server sets the
hidden field to:

time + ":" + md5(time + "some secret string")

When the form comes back, the server splits the string at the ":" and
it computes md5(part-before-the-colon + "some secret string").
Checking that this md5 hash matches the part after the colon is
equivalent, I think, to looking up a unique ID in a server-side DB
(but simpler to do).

--
Ben.

Similar ThreadsPosted
Alternative to Frames November 17, 2004, 8:19 pm
Alternative to TSEP October 1, 2006, 10:46 pm
Alternative to WebRing? October 11, 2006, 6:41 am
Alternative methods to IMG May 9, 2007, 5:15 am
alternative to FrontPage please February 4, 2008, 3:45 am
No simple alternative to EMBED March 13, 2005, 6:38 pm
EMBED-command - HTML 4.01 Transitional alternative? July 17, 2004, 7:42 pm
Alternative to CMS Encore Pro and CityDesk using the power of Visual Web Developer March 18, 2007, 8:25 pm
Alternative to CMS Encore Pro and CityDesk using the power of Visual Web Developer March 18, 2007, 8:26 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap