RE: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA

["Dan Horne" <suppressed>]

This may have been discussed before, so I may have lost it in the discussion
thread: Why not encrypt the mystery text with a secret key and supply it as
a hidden param? Then simply decrypt the mystery text and it should match the
user's plain text response (or eve  better, use md5 to hash the mystery text
with the key to get the code, and then repeat the process with the user's
response).

Dan

> -----Original Message-----
> From: Tony Fraser [mailto:suppressed 
> Sent: Saturday, 27 August 2005 10:12
> To: Michael Peters; Michael Peters; Michael Peters; Michael 
> Peters; Michael Peters; Michael Peters; Michael Peters
> Cc: suppressed; 'Cees Hek'; CGI Application 
> List; suppressed; 'Cees Hek'; CGI Application 
> List; suppressed; 'Cees Hek'; CGI Application 
> List; suppressed; 'Cees Hek'; CGI Application 
> List; suppressed; 'Cees Hek'; CGI Application 
> List; suppressed; 'Cees Hek'; CGI Application 
> List; suppressed; 'Cees Hek'; CGI Application List
> Subject: Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
> 
> 
> On Fri, 2005-08-26 at 14:35, Michael Peters wrote:
> > Dan Horne wrote:
> > > It would be nice if whatever solution is selected can run under 
> > > Windows too. Many memory-based caching systems are 
> specific to *nix 
> > > systems and don't work with MS (particularly the IPC ones). What 
> > > about supporting the Cache::Cache API, and then  let the 
> developers 
> > > choose which Cache::* module suits?.
> > 
> > Ok, before we go down this road, can anyone give me a good 
> reason that 
> > we need to permanently store these images or even cache them? The 
> > CAPTCHA phrase should be random enough that we would never use the 
> > same image twice in a reasonable amount of time right?
> 
> Unless you require the use of cookies you need to store 
> either the image or the string that is in the image on the 
> server. You need the hash when you generate the form that is 
> protected be the captcha and you need the plain text that is 
> in the image when you generate the image.
> 
> To me that leaves 2 choices:
> 
> 1. Store the plain text on the server somehow, indexed by the 
> hash. Then generate the image as needed.
> 
> 2. Generate the image and the hash at the same time and 
> somehow save the image so that it can be retrieved by its 
> hash in a separate HTTP request.
> 
> Either way there has to be persistent storage on the sever. 
> My vote is to generate the hash and the image at the same 
> time. Save the image to the filesystem and let the webserver 
> do its thing for the second HTTP request by serving the image 
> as static content.
> 
> If you put the info required to generate the image in the 
> query string of the runmode that generates the image you've 
> just given the robots everything they need to defeat the captcha.
> 
> -- 
> Tony Fraser
> suppressed
> Sybaspace Internet Solutions                        System 
> Administrator
> phone: (250) 246-5368                                fax: 
> (250) 246-5398
> 
> 


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed