How to protect registration page from multiple malicious requests?

Question

I allow users to register on my website using a registration form. Once form is submitted a token will be generated and will be sent by email to user, they need to click on the token link to activate their account.

My question is that if I do it, do the malicious codes can still send multiple emails to my website to register, should I use Captcha to protect the website or there is any other method ?

Answer 1

If all you want is to prevent double submissions, you can generate a unique token for the form that you check on submission. This requires some thought if there are multiple forms per page. Also, a simple method is to just disable the form/button on submission. This is even more effective if the form is submitted via Ajax (so that the action parameter of the form can be absent and thus not easily harvestable).

If you want to prevent automatic submissions (by bots), while Captcha is probably the strongest of the common methods, it is also very user-hostile. Instead, unless you have a reason to believe your site is being specifically targeted, it is usually enough to just use honey-pot fields (invisible fields that a human would never fill but a bot would) and hidden fields that you fill with a known value after a short delay using JS (a bot wouldn't normally execute JS nor take time to type into fields like a human). Simply doing an Ajax submission is also usually enough. I recommend using one or a mixture of these methods before falling back to Captcha.

Answer 2

Captcha is one of the standard methods.

Another way is do not do a direct submit of the form.Use AJAXfied server calls sos that form does not get posted by itself but has some data scrambling of inner fields & delays the submissions.

$("#contactForm").submit(function(event) 
 {
     /* stop form from submitting normally */
     event.preventDefault();

     /* get some values from elements on the page: */
     var $form = $( this ),
         $submit = $form.find( 'button[type="submit"]' ),
         name_value = $form.find( 'input[name="name"]' ).val(),
         email_value = $form.find( 'input[name="email"]' ).val(),
         phone_value = $form.find( 'input[name="phone"]' ).val(),
         message_value = $form.find( 'textarea[name="message"]' ).val();


     /* Send the data using post */
     var posting = $.post( "contact-form-handler.php", { 
                       name: name_value, 
                       email: email_value, 
                       phone: phone_value, 
                       message: message_value 
                   });

     posting.done(function( data )
     {
         /* Put the results in a div */
         $( "#contactResponse" ).html(data);

         /* Change the button text. */
         $submit.text('Sent, Thank you');

         /* Disable the button. */
         $submit.attr("disabled", true);
     });
});</script>