tags:

views:

1224

answers:

9
+2  Q: 

PHP Captcha without session

Ok, here is an issue: in the project i'm working on, we can't rely on server-side sessions for any functionality.

The problem is that common captcha solutions from preventing robotic submits require session to store the string to match captcha against.

The question is - is there any way to solve the problem without using sessions? What comes to my mind - is serving hidden form field, containing some hash, along with captcha input field, so that server then can match these two values together. But how can we make this method secure, so that it couldn't be used to break captcha easily.

+1  A: 

You could try storing a bunch of captcha codes in a database. Alternatively, theres a nice discussion on alternate captcha methods here: http://stackoverflow.com/questions/8472/practical-non-image-based-captcha-approaches

some pretty interesting techniques really, have a read through.

Evernoob  2009-09-23 12:37:40
A: 

Make your hidden input field just a random sequence. Store this random data in the database along with the captcha information, so you can look up the correct captcha with it.

You will also need to set a short-ish time to live for each captcha generated. Finally, you can store and track in the database the number of attempts on each captcha and impose a hard limit on it (3 guesses and it is a permanent fail).

rikh  2009-09-23 12:40:34
That’s the basics of how sessions work. Store the data on the server side (your captcha information in the database) and associate it with an ID (your random sequence).
Gumbo  2009-09-23 12:47:32
A: 

Without persistent state server-side, I don't see a CAPTCHA working.

What you suggested is not secure since an attacker could easily always POST his own 'hidden field' with matching CAPTCHA text.

Why not do the CAPTCHA from another webserver where you can have persistent state?

Yannick M.  2009-09-23 12:43:39
Yes, i'm aware of the fact that without some form of persistence on server, attacker can use the same correct pair of hash-captcha like 100 billion times. But what if we salt hash with the server's timestamp and lucky pairs will expire every 10-20 minutes, what do you think of the security of this method?
Anton N  2009-09-23 12:58:24
It indeed offers an added level of security, but I fear the salt will not be random enough. One thing to consider is the level security you need. If you need 'some' security, but the likelyhood of becoming the target of an attack is low, you could try such a low security method.
Yannick M.  2009-09-23 13:31:20
A: 

My own idea, don't know is it good:

1) If user is logged, just use some hash function on his login and generate CAPTCHA with it,

2)if it is register form, etc just hash some value from form field (for example login, when user finished type it) and by ajax show CAPTCHA with hash from login.

Hope, that it is understandable. :)

EDIT: Without AJAX: 2 steps registration:

At 1, we collect login etc. after submit, we direct to ?login=new_login

At 2, we have hidden input with GET["login"] and hash from it in CAPTCHA image - after submit we have all to check answer.

Rin  2009-09-23 12:48:32
2) Nice idea :) but on doing this we either block people with javascript off or allow all bots with no js engine to pass the captcha every time. Correct me, if i'm wrong.
Anton N  2009-09-23 12:54:29
Bots will not pass captcha unless they know how you hash login :)
Rin  2009-09-23 13:01:58
Yes, but real clients, who can't make ajax calls won't have their chance to pass either?
Anton N  2009-09-23 13:07:02
OK i have idea, check "edit" ;)
Rin  2009-09-23 13:09:30
Well, I like it, especially combined - make captcha on the fly for ajax-enabled clients and use plan b with two-steps form for all the others. Will take this method into consideration :)
Anton N  2009-09-23 13:21:23
Will be nice if you don't forget vote +1 my answer or just mark it as solution, THX (I noticed you are new here) : - )
Rin  2009-09-23 13:33:35
Wouldn't the hash be the same each time for a given user, since you are hashing the same variable?
Yannick M.  2009-09-23 16:54:36
Yep, so we can add some data too... and send them by url
Rin  2009-09-23 17:24:07
A: 

Can you grant them a client certificate in response to a CAPTCHA call? Then once they select that certificate in the browser it's sent with each call from the client, and can be used for authentication without sessions and without further CAPTCHA calls.

quillbreaker  2009-09-23 13:01:02
Do you mean SSL certificate?
Anton N  2009-09-23 13:05:44
It's a similar type of certificate, but it's held by the client instead of the server. With SSL, the server presents the certificate and the client accepts it. With client certificates, it's the reverse - the client presents (through the web browser) and the web server accepts.Once you pick a client certificate on the web browser side, that certificate is sent with every call (Request["ClientCertificate"] or some such), so you don't have to keep login state in session. It does add some hoops for the client to jump through, however, and may not work for you.
quillbreaker  2009-09-23 14:52:46
A: 

Here's my take at it (sry if it seems complicated):

  1. on page request:

    • you generate a random string code 'abcdef';
    • you encrypt the code using some predefined password: $crypt = encrypt($captcha_code, 'password')

  2. in the form:

    • an image link is sent to the browser 'captcha.php?$crypt'
    • a hidden input is set with the value of $crypt

  3. the captcha.php page decrypts the encrypted text, and generates the image.

  4. the user submits a form with code 'abcdaa' (and hidden input $crypt)

  5. the server verifies if encrypt('abcdaa') == $crypt

edit: the encrypt function needs to be reversible (decrypt), since the captcha image generator will need the original code.

jcinacio  2009-09-23 13:30:05
the problem with this method is that the attacker can use one pair of values a lot of times.
Anton N  2009-09-23 13:35:47
@Anton N: not exactly, if the password changes (just add a salt based on available information like user IP address, current day, browser info, or some other stuff)
jcinacio  2009-09-23 14:29:07
I think this approach is worse than what Anton N suggested in the first place. Use a hash, obviously! hidden_field=hash(captcha + salt) and verify by hidden_field == hash(user_inputted_captcha + salt).
Yannick M.  2009-09-23 17:05:26
@Yannick M. The issue lies on the fact that the image generation script needs to know what text code to generate in the first place. without server-side use of session/db, the text must come from somewhere...
jcinacio  2009-09-23 17:47:07
The image generation is server-side, and a hash of the text + salt is only to verify the result afterwards. The thing about encryption is, if an attacker can break it, they have the text + the password. Whereas they cannot 'break' the hash, they can only find possible collisions.
Yannick M.  2009-09-23 23:23:22
A: 

How about this solution? I found this "Sessionless PHP Captcha" article on google and I used on one of my projects, it's simple, no session and it's free. Any security concerns on RC4?

http://www.mythos-rini.com/blog/archives/732

userb00  2010-03-27 00:36:45
A: 

Use the honeypot technique: place a text field with a greedy name, as 'email', into an field hidden by CSS (display: none; visibility: hidden;).

When you have to sanitize the form, simply check if that field is empty, is being send by an human (that cant see the field and so cant fill it up), else, from a spammer.

That's why usually spammer use to fill up all the fields in the page with predefinited values before sending the form... and doesnt bother the user for reading the captcha.

Else, rely on the human reading, something like "Write the first $x letter of the word "$word" in the field:"

Then, you only have to send the $x and $word to the next page and check it (and of course, you can randomize the fields name to be more accurated)

I remember that a plugin for phpBB forum rely on the fact that, usually, the spam bots selects the first option avaiable (with a value) in the <select> fields; Just put as first option <option value="kickmeplease">Yes, im a bot.</option>

There are many ways to protect against spambots, playing on one factor that bots will never have: imagination

DaNieL  2010-03-27 02:05:33
A: 

The need for session or database comes from the need to coordinate the GET for the image with the html page containing it, so how about use the same code to embed a captcha image: [img src='data:image/jpeg;base64,...'], use a random salt to hash its text, then sending the random salt and hash together with the image to the client in a single GET?

On postback you append the user text to the salt then compare the hashes. Just wondering how safe this would be...

Costas  2010-04-21 10:19:57

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases