We don’t take security as seriously as we should at work; issues are handled when they come up. Recently a spam bot was abusing the contact form on our site. So we went out on the intraweb, searched on Google for CAPTCHA, and probably installed the first solution we came across.

However, I dislike the idea of CAPTCHA; images not accessible to everyone. So on our latest project, I used a simple logic field (1+1 = ?). I think this is a better solution, but not everyone agrees. Does anyone else have a better solution?

This entry was posted on Friday, April 20th, 2007 at 5:39 pm and is filed under software, web. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Well, the first thing I would do is look at your web logs and determine if they’re visiting the submission page each time they go to submit data. If not, simply add a value that contains random data that can be set to “expire” after so much time (15 minutes). Probably stored in a DB until they submit the data.

Also remove the value from the DB after it’s been submitted to prevent additional submissions.

To aide with slow typers, make sure the form redisplays what was typed on the error page… might want to suggest they copy/paste it to a new form, or simply give them a new variable on error. Either way, they need to resubmit…

Just a random thought on 4 hours of sleep. Enjoy!

And I can’t type on low sleep either: “aid” is what I shoulda typed.