Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA

Subject: Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
Date: Sat, 27 Aug 2005 11:01:02 +0200
From: "Emanuele Zeppieri" <suppressed>

> -----Original Message-----
> From: Michael Peters [mailto:suppressed 
> Sent: Thursday, August 25, 2005 6:56 PM
> To: Jason A. Crome
> Cc: suppressed
> Subject: Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
> 
> [...]
> 
> I wouldn't store the images at all. A good CAPTCHA should use an image
> only once. That would be a waste to store. Just send the 
> image directly
> to the browser (with the cookie of course).
> 
> [...] 
>
> If create_captcha() simply returned the image to the browser then the
> user could do something like this in their HTML
> 
> <img src="/my/app?rm=captcha">
> 
> And put it where ever they want.

I second this idea suggested by Michael: the captcha should be generated
on-the-fly, by a dedicated run-mode which returns the image binary
content (and there's no need to store the generated image anywhere).

This is exactly what I always do in a very similar context, that is when
I have to generate /live/ charts (for example via GD::Graph) in my CA
applications.

As for the response headers, I have a /dedicated/ subclass (which
inherits from my application base class) which contains only the
run-modes which generate the graphics.
In this subclass, similarly to what suggested by Mark, I then simply
override cgiapp_postrun, this way:

sub cgiapp_postrun {
	my $self = shift;
	$self->header_props( -type => 'image/png' )
}

(change the image type according to the format you are returning of
course).
Since this subclass contains only run-modes which return images, no
further tests are required.

As for the check, I would then suggest to simply store the string,
unencrypted, in the (server side) session data, and then check against
it the string provided by the user.
Trying to avoid session management IMO only leads to greater
complications.

Finally, it could be useful to integrate such captcha plugin with
CAP::ValidateRM (a plugin of a plugin? :-)

Ciao,
Emanuele.


---------------------------------------------------------------------
Web Archive:  http://www.mail-archive.com/suppressed/
              http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed

References:
- Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
  - From: Michael Peters

Prev by Date: Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
Next by Date: Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
Previous by thread: Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
Next by thread: Re: [cgiapp] RFC: CGI::Application::Plugin::CAPTCHA
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.