[thelist] junk entry into forms (captcha?)
Steven Streight
steven.streight at gmail.com
Wed Feb 7 09:57:28 CST 2007
Yes, Bill Moseley, and when captchas are hard to read, sales will be lost.
On 2/7/07, Bill Moseley <moseley at hank.org> wrote:
>
> On Wed, Feb 07, 2007 at 11:47:41AM +0000, Austin Harris wrote:
> > Morning all,
> >
> > Just had a (very old) client get in touch and the order form that I
> > made for them a fair few yesra ago is now getting hammered - about
> > 50 - 100 per day.
>
> Besides captchas:
>
> I find requiring them to fetch the form first stops most of these
> attacks.
>
> If the application already has sessions I include a token that is only
> valid once for a post and will time out. So they have to fetch the
> form before submitting to it.
>
> Without sessions, the other thing I've done is take the time in
> minutes plus a secret word and hash it. Then when the form is posted
> I calculate the current time and step backwards X number of minutes
> until the hash matches. That way I know they fetched the form within
> the last X minutes.
>
> It's amazing how often I can't read the captcha images myself.
>
> --
> Bill Moseley
> moseley at hank.org
>
> --
>
> * * Please support the community that supports you. * *
> http://evolt.org/help_support_evolt/
>
> For unsubscribe and other options, including the Tip Harvester
> and archives of thelist go to: http://lists.evolt.org
> Workers of the Web, evolt !
>
--
Steven Streight aka Vaspers the Grate
Web Usability. Blog Revolution. Ecommerce.
steven [dot] streight [at] gmail [dot] com
http://www.vaspersthegrate.blogspot.com
More information about the thelist
mailing list