Validating Form Users

liunx

Guest
Aside from captcha images, what methods are available to validate that form users are human and not bots/programs trying to flood the form? I'd like to avoid captchas if possible because they aren't handicap accessible.<br /><br />It's not a problem with validating the form data itself, because spammers can easily spoof valid data. How do you verify a user is human and not a machine drone trying to flood the comments without captchas?<br /><br />Javascript is right out--too easy to turn off. If sessions were effective, I'd think people would be using them instead of captchas. But I suppose sessions would be better than nothing, especially if they were tied to a database &extra random numbers.<br /><br />Anyone have any ideas? I'm not necessarily looking for code examples, just thoughts on how to verify a human user without resorting to images. Not that I'd turn down code examples, of course!<!--content-->
Well, I guess this is a matter of imagination... the first thing that came to my mind was asking people to check some other page and enter a certain word from somewhere in that other page into a text field in your form. Of course this isn't as viable as captchas (who invented that name?? <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/sick.gif" style="vertical-align:middle" emoid=":sick:" border="0" alt="sick.gif" />), because page contents may change at any time.<br /><br />There's also the e-mail verification method: you send an e-mail to someone with an unique code, which that person will have to enter in another page to be able to verify his/her account.<!--content-->
CAPTCHA is allegedly an acronym for:<br />"Completely Automated Public Turing Test to Tell Computers and Humans Apart"<br /><br />Ugly, yes indeed, but crafted by the compter geniuses at Carnegie Mellon, not for any esthetic appeal.<br /><br /><a href="http://www.captcha.net/" target="_blank">http://www.captcha.net/</a><!--content-->
To answer the actual question, it would seem that for a one-off web application almost anything would work. Simply requiring any random or semi-random string from the page to be copied into a form field would work unless/until someone wrote a script SPECIFICALLY targetting your page/application that would automatically read and parse the form to craft a specific reply. For that matter, you could automate the process in a hidden form field and that would deter 98% of the vandalism that goes on (since most form spamming/vandalism doesn't even look at unique form instances, just hammers the "action" page with POSTs.)<br /><br />If you want a harder (i.e. more secure) solution, consider implementing IP checking and log the IPs that POSTs come from. Limit a given IP address to 1-3 POSTs every 1-3 minutes. Again, a determined vandal could use a DDOS or IP spoofing to defeat this security measure, but that level of determination is rare.<!--content-->
There's a REALLY good white paper on this topic by the W3C:<br /><a href="http://www.w3.org/TR/turingtest/" target="_blank">http://www.w3.org/TR/turingtest/</a><br /><br />It doesn't give explicit methods or anything, but discusses the pros and cons of various currently-used and potentially-useable methods.<br /><br />The coolest idea to me is the simple logic/knowledge test:<br /><br />Which of these is not a color:<br />A. green<br />B. squirrel<br />C. orange<br />D. red<br /><br /><br />Would be laborious to implement and create, but accessible. And do you really want comments in your blog from someone whose living room is painted "squirrel"?<!--content-->
I love that logic test idea, matman! <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/thumbup1.gif" style="vertical-align:middle" emoid=":thumbup1:" border="0" alt="thumbup1.gif" /><br /><br />Oh, and thanks for the link, too. <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" /><!--content-->
Email verification could work. I can just whitelist certain IP addresses that I know comment often so they don't have to go through it.<br /><br />I thought about the random string thing, but anything I can write a program to get around I don't want to do--if I can hack it, it's a bad thing, you know? <br /><br />I'll definitely check out the link--looks great! The logic test is a good idea. I saw something similar on another site--an extra form field asking "What is Diana's first name?". <br /><br />I doubt any comment spammers would ever actually *want* to target my site anyway--no trackbacks, and all comment URLs include the rel="nofollow" tag, and it's homegrown code so they have to work extra hard to find it (can't search for known files). They'd be doing a lot of work and wasting their time--boy, do I love the thought of them *really* wasting their time by trying to find a way around extra security measures. And if no one bothers, I still know more about security then I did before. Everyone wins (ok, I win).<br /><br />I'll go see what the W3C has to say.<!--content-->
 
Back
Top