PHP Captcha without session

后端 未结 13 1672
傲寒
傲寒 2021-01-04 13:51

Ok, here is an issue: in the project i\'m working on, we can\'t rely on server-side sessions for any functionality.

The problem is that common captcha solutions fro

相关标签:
13条回答
  • 2021-01-04 14:32

    You could try storing a bunch of captcha codes in a database. Alternatively, theres a nice discussion on alternate captcha methods here: Practical non-image based CAPTCHA approaches?

    some pretty interesting techniques really, have a read through.

    0 讨论(0)
  • 2021-01-04 14:32

    Here's my take at it (sry if it seems complicated):

    1. on page request:

      • you generate a random string code 'abcdef';
      • you encrypt the code using some predefined password: $crypt = encrypt($captcha_code, 'password')
    2. in the form:

      • an image link is sent to the browser 'captcha.php?$crypt'
      • a hidden input is set with the value of $crypt
    3. the captcha.php page decrypts the encrypted text, and generates the image.

    4. the user submits a form with code 'abcdaa' (and hidden input $crypt)

    5. the server verifies if encrypt('abcdaa') == $crypt

    edit: the encrypt function needs to be reversible (decrypt), since the captcha image generator will need the original code.

    0 讨论(0)
  • 2021-01-04 14:36

    Auto-populate a UUID of the CAPTCHA along with the user answer in the POST. Easy peasy.

    0 讨论(0)
  • 2021-01-04 14:36

    How about this solution? I found this "Sessionless PHP Captcha" article on google and I used on one of my projects, it's simple, no session and it's free. Any security concerns on RC4?

    http://www.mythos-rini.com/blog/archives/732

    0 讨论(0)
  • 2021-01-04 14:37

    My own idea, don't know is it good:

    1) If user is logged, just use some hash function on his login and generate CAPTCHA with it,

    2)if it is register form, etc just hash some value from form field (for example login, when user finished type it) and by ajax show CAPTCHA with hash from login.

    Hope, that it is understandable. :)

    EDIT: Without AJAX: 2 steps registration:

    At 1, we collect login etc. after submit, we direct to ?login=new_login

    At 2, we have hidden input with GET["login"] and hash from it in CAPTCHA image - after submit we have all to check answer.

    0 讨论(0)
  • 2021-01-04 14:45

    Have the CAPTCHA generator return an image, and use a salted hash or custom hash for the answer (emphasis on salted/custom). Have the generator push that hash into a cookie. The server can then validate based on the value in the cookie. This wouldn't require JavaScript, but if cookies are disabled, you'd have to fallback to another technique.

    0 讨论(0)
提交回复
热议问题