I have a question for everyone. I am in the process of building my business's website (I'm striking out on my own as a designer/developer). I absolutely don't want to use CAPTCHA for my form mailer section. I've come up with an alternative that I describe below, and I'd appreciate any feedback I could get as to potential security holes in my thinking.
Here it goes:
On the page where my form mailer is I capture the user's ip address, date and time they loaded the page, assign them a random number, all of which is stored in a MySQL database in addition to another column called "mail" which has a default value of "no".
The php script would also put the random number it assigned to the unique visit (which was attached to the date, time, and ip address in the database) as the value of a hidden field in my form mailer that would post to the email script. When the user posts to the email script, the email script would check all the information captured above against the database and change the value of the "mail" column from "no" to "yes". The email script would refuse to send the email if the information didn't match up or the "mail" column had a value of "yes". On the off chance someone was legitimately trying to send two emails from the form mailer in the same page load I would send a message via AJAX saying "please reload the page in order to send another email" or something like it. People can send multiple emails if they want, but they have to reload the page first, and a computer would never be able to predict what value the hidden field would have, since it would be random every time.
Why can't I do this?
I hate CAPTCHA, why can't I do this...
Moderator: General Moderators
-
nathanjsweet
- Forum Newbie
- Posts: 1
- Joined: Wed Feb 10, 2010 10:21 pm
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: I hate CAPTCHA, why can't I do this...
Why would a computer need to predict the value if it can read it from your hidden form field? The random number (nonce) is inserted in a form to mitigate CSRF attempts, which is good. Just dont confuse a nonce with captcha. Captcha's job is to determine if the user trying to use the form on your web page is human, via a turing test.nathanjsweet wrote:a computer would never be able to predict what value the hidden field would have, since it would be random every time.
It's fine if you store the nonce in a database, just be sure to tie it to a user session, not just their IP. Know that it's possible for a user's IP to change throughout their time on your website, where as, a session will remain consistent.
Captcha does a reasonably good job at what it is supposed to do, even though it has its draw backs. There are different variations of the Captcha method, so check those out, if distorted text images aren't your thing.
Let me preface this next part by saying, I dont have any real world experience on this subject, I am regurgitating advice I have been given from those who do have experience. I will be trying this on my next project.
Scripted attacks on your website *generally* dont process javascript. You can set honeypots using javascript and/or CSS, anticipating that a script will likely populate a form element with a common name like "password". In your script, if the "password" field is populated, you can assume that someone is monkeying with your form, or its a scripted request.
Another avenue you might try, is to restrict the number of times an email can be submitted within a window of time. Say, if 10 emails are sent within 10 minutes, restrict the IP from making further attempts for like 30 minutes or an hour.
Good luck, there is no complete solution, do the best you can