Ok, here is an issue: in the project i'm working on, we can't rely on server-side sessions for any functionality.
The problem is that common captcha solutions from preventing robotic submits require session to store the string to match captcha against.
The question is - is there any way to solve the problem without using sessions? What comes to my mind - is serving hidden form field, containing some hash, along with captcha input field, so that server then can match these two values together. But how can we make this method secure, so that it couldn't be used to break captcha easily.
Without persistent state server-side, I don't see a CAPTCHA working.
What you suggested is not secure since an attacker could easily always POST his own 'hidden field' with matching CAPTCHA text.
Why not do the CAPTCHA from another webserver where you can have persistent state?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With