Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA

["Jason A. Crome" <suppressed>]

On Aug 25, 2005, at 11:56 AM, Michael Peters wrote:

> Well, just to point out, CAPTCHA isn't perfect. It'll probably work  
> for
> now, but long term you may need to look at other options. Or maybe
> GD::SecurityImage will pick up some better techniques...
>
> http://sam.zoy.org/pwntcha/

You're absolutely right - it's not perfect, but it's significantly  
better than what I and I bet countless others have right now, which  
is nothing.  CAPTCHAs are already well-researched and fairly easy to  
implement, and as our project is already behind schedule, there is  
minimal time that I would like to invest in researching other  
options.  It's good enough for now ;)

That being said, as long as I have to write it, someone else might as  
well benefit from the plugin.

> I'm sure you're planning it, but be sure to make most of these options
> have reasonable defaults. For instance, if not given a PATH use
> File::Temp, etc.

Of course.  I'm more looking for feedback on the interface, which you  
also provided ;)

> I don't think the user should have to call create_captcha() at all. It
> should be a run mode that is automatically added to the using app.

What about those runmodes that don't need a CAPTCHA?  All of my  
runmodes are not good candidates for it.

> This is how I would do it. In create_captcha() create a random string
> (using something like Data::Random). Then create a hash of that string
> using crypt() (and a random salt from Data::Random again). Use the
> password as the text in the image and pass the hashed value in a  
> cookie.
>
> If the user then submits data, verify_captcha() should look at the  
> field
> in question, and then use crypt() again with the hashed value from the
> cookie to verify that the string would indeed match.
>
> I you use the method I described above you don't need to store  
> anything.

Very slick, I like that.


> If create_captcha() simply returned the image to the browser then the
> user could do something like this in their HTML
>
> <img src="/my/app?rm=captcha">
>
> And put it where ever they want.

So, essentially we change the type of header produced by C::A, then  
return the image data from the runmode?  Am I following correctly?   
If so, what of cgiapp_postrun?  For those of us that sometimes alter  
headers there, this would be an issue to be contended with.

I'm curious to see your reply.  I'd like to use some of these ideas,  
but I need some explanation to fill in some of the blanks for me.

Thanks!
Jason


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
             http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed