[thelist] junk entry into forms (captcha?)
Bill Moseley
moseley at hank.org
Wed Feb 7 09:26:41 CST 2007
On Wed, Feb 07, 2007 at 11:47:41AM +0000, Austin Harris wrote:
> Morning all,
>
> Just had a (very old) client get in touch and the order form that I
> made for them a fair few yesra ago is now getting hammered - about
> 50 - 100 per day.
Besides captchas:
I find requiring them to fetch the form first stops most of these
attacks.
If the application already has sessions I include a token that is only
valid once for a post and will time out. So they have to fetch the
form before submitting to it.
Without sessions, the other thing I've done is take the time in
minutes plus a secret word and hash it. Then when the form is posted
I calculate the current time and step backwards X number of minutes
until the hash matches. That way I know they fetched the form within
the last X minutes.
It's amazing how often I can't read the captcha images myself.
--
Bill Moseley
moseley at hank.org
More information about the thelist
mailing list