EllisLab text mark
Advanced Search
     
Simple Captcha: Session ID as identifier?
Posted: 16 July 2008 02:10 PM
Joined: 2008-06-25
133 posts

Hi!

I built a captcha library which randomly generates a simple mathematical question that the user is required to answer correctly to submit the form. When the user loads the controller, a new captcha is generated and the answer is stored in a database table along with the session ID which is the identifier used to fetch the correct answer once the user has pressed submit.

So my question is, is the session ID a smart way to associate a user with an answer, seeing as (if I understand it correctly) the session ID is changed every five minutes or so?

Best regards,
Erik Brännström

 Signature 

Blog | Twitter | Last.fm
MY_Form_Validation - extended for protection using nonce words

 
Posted: 16 July 2008 03:08 PM   [ # 1 ]   [ Rating: 0 ]
Avatar
Joined: 2007-02-06
743 posts

I think you answered your own question. Why not just store the answer directly in the session? Alternatively, just store the numbers in hidden fields to avoid using the session.

 Signature 

“I am the terror that flaps in the night”

 
Posted: 16 July 2008 03:15 PM   [ # 2 ]   [ Rating: 0 ]
Joined: 2007-10-09
13 posts

use reCAPTCHA.net

its free, its awesome, its high tech… and you’re helping to digitize books!

 
Posted: 16 July 2008 03:17 PM   [ # 3 ]   [ Rating: 0 ]
Joined: 2008-06-25
133 posts

It is interesting that the easiest solution seldom is the one that springs to mind smile

Just one follow up question. The captcha is plain text and can easily be answered by a fairly simple automated process, which isn’t really a problem for my part. I’m just wondering if the CI Sessions are stored in cookies and if this information is easily accessible for such bots? I’m simply wondering for possible future security reasons.

Thanks for your answer!

 Signature 

Blog | Twitter | Last.fm
MY_Form_Validation - extended for protection using nonce words

 
Posted: 16 July 2008 03:27 PM   [ # 4 ]   [ Rating: 0 ]
Joined: 2008-06-25
133 posts
mdgross - 16 July 2008 07:15 PM

use reCAPTCHA.net

its free, its awesome, its high tech… and you’re helping to digitize books!

I did actually, however I found that it was a bit too high tech for my needs smile

The site I’m working on is in Swedish, which is not supported by default with reCaptcha and I didn’t feel up to the task of fixing that myself. This solution also loads faster and will never cause the slightest problem when I finally get around to internationalizing the site.

 Signature 

Blog | Twitter | Last.fm
MY_Form_Validation - extended for protection using nonce words

 
Posted: 16 July 2008 03:40 PM   [ # 5 ]   [ Rating: 0 ]
Avatar
Joined: 2007-12-13
378 posts

I think the best way to go would to be using the standard session flashdata feature to store the answer on the page with the form and accessing it on the submit page. No need to worry about DB calls or session IDs changing..

 Signature 

PX Webdesign | The Lab | Personal Blog