Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP Captcha without session

Tags:

php

captcha

Ok, here is an issue: in the project i'm working on, we can't rely on server-side sessions for any functionality.

The problem is that common captcha solutions from preventing robotic submits require session to store the string to match captcha against.

The question is - is there any way to solve the problem without using sessions? What comes to my mind - is serving hidden form field, containing some hash, along with captcha input field, so that server then can match these two values together. But how can we make this method secure, so that it couldn't be used to break captcha easily.

like image 726
Anton N Avatar asked Sep 23 '09 12:09

Anton N


1 Answers

Without persistent state server-side, I don't see a CAPTCHA working.

What you suggested is not secure since an attacker could easily always POST his own 'hidden field' with matching CAPTCHA text.

Why not do the CAPTCHA from another webserver where you can have persistent state?

like image 187
Yannick Motton Avatar answered Sep 21 '22 05:09

Yannick Motton