ColdFusion MX and CAPTCHA

Hi All,   How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA' solution. Any ideas would be appreciated. http://www.devx.com/dotnet/Article/21308 TIA, Patrick Whittingham United Space Alliance   _____  

Whittingham, P wrote: > >   How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA' > solution. Any ideas would be appreciated. This has been posted and discussed many times since I've been on the list. I have yet to see anyone suggest specifics on how to do it though. It shouldn't be too hard to use JAI or ImageMagick or something similar though to generate an image with text using a funky font then overlay the image with another image to confuse OCR software... I think you'd store the image text in a database, and pass some kind of ID in the form as a hidden field, then on submission, look for that ID in the database and compare the text in the database to what the user typed in. Again, it's all theoretical.  Maybe someday, someone will write such a tool and share with all of us how they did it.   - Rick

A thought just struck me so it is a bit off the top of my head, read may not be totally thought through. If one is to believe MM and that 70%+ of the worlds browser have a flash plug-in loaded, could one use flash remoting to create a standard flash still image then use CF to put random letters on top of the image? Can automated scripts decipher flash movies? Just a thought. Doug Whittingham, P wrote: ----- Excess quoted text cut - see Original Post for more -----

Yes Flash can be decompiled. So can an image. And there is no captcha string truly unique that can't eventually be figured out. You just make it as difficult as possible. Your idea would work, but an image is better because it is compiled. And flash you're passing the data in somehow that can be caught. Doug James wrote: > A thought just struck me so it is a bit off the top of my head, read may > not be totally thought through. > > If one is to believe MM and that 70%+ of the worlds browser have a flash > plug-in loaded, could one use flash remoting to create a standard flash > still image then use CF to put random letters on top of the image? Can > automated scripts decipher flash movies?

Take a look here: http://www.emerle.net/comments/view.cfm/p/152 Hi All,   How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA' solution. Any ideas would be appreciated. http://www.devx.com/dotnet/Article/21308 TIA, Patrick Whittingham United Space Alliance    _____________________________________

I have posted the tag i created on my site.  You can grab a copy from here: http://www.emerle.net/programming/display.cfm/t/cfx_captcha Included is an example file which shows how you can use session variables. Basically, the example file will act as an image.  You simply add an IMG tag pointing to that file: <img src="./images/validation/validate.cfm"> And it will serve up the generated image with CFCONTENT right after it sets the session variable.  All you have to do is check the posted value against the session value.  Of course, you will have to watch out for session timeouts.. :) It's not fool-proof, but it gets the job done.. :) -Ryan Hi All,   How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA' solution. Any ideas would be appreciated. http://www.devx.com/dotnet/Article/21308 TIA, Patrick Whittingham United Space Alliance    _____________________________________

I like yours Ryan. I would try and make the key a little stronger. Ryan Emerle wrote: ----- Excess quoted text cut - see Original Post for more -----

Ryan, anyway we can change the background image with your tag? Ryan Emerle wrote: ----- Excess quoted text cut - see Original Post for more -----

thanks...didn't know that. Pat Whittingham, P wrote: > >   How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA' > solution. Any ideas would be appreciated. This has been posted and discussed many times since I've been on the list. I have yet to see anyone suggest specifics on how to do it though. It shouldn't be too hard to use JAI or ImageMagick or something similar though to generate an image with text using a funky font then overlay the image with another image to confuse OCR software... I think you'd store the image text in a database, and pass some kind of ID in the form as a hidden field, then on submission, look for that ID in the database and compare the text in the database to what the user typed in. Again, it's all theoretical.  Maybe someday, someone will write such a tool and share with all of us how they did it.   - Rick   _____  

Ok, ok, I've been holding off on this because I wanted to write something up about it. Here it is. 1. Find an image package that will allow you to create and write text on top of a image. 2. Create a file like below. image.cfm <cfset theImage=Your image manipulation package> <cflock timeout="2" throwontimeout="yes" name="captchaImage"> <cfset session.captchaString=yourRandomUniqueStringGoesHere> <cfset captchaString=session.captchaString> </cflock> <cfset theImage=write(session.captchaString)> <cfcontent type="image/gif" reset="true> <cfoutput>#variables.theImage#</cfoutput> 3. Include the image on your form <img src="image.cfm"> 4. Include a field the user can type into. 5. Action page check form field with session.captchaString. That's as simple as it gets. Whittingham, P wrote: > thanks...didn't know that.

The code needed to produce an image from a string has already been   created. http://cvs.sourceforge.net/viewcvs.py/*checkout*/openxcf/javacfx/src/ net/sourceforge/openxcf/javacfx/ImageString.java?content- type=text%2Fplain&rev=1.1 -Matt On Jun 16, 2004, at 4:23 PM, Bryan F. Hogan wrote: ----- Excess quoted text cut - see Original Post for more -----

p.s. Matt's code here is what I use. It would be nice if Matt could compile it so for someone writing up the steps involved with building a CAPTCHA implementation, doesn't have to trust that someone will know how to compile Java. ;-) Matt Liotta wrote: > The code needed to produce an image from a string has already been   > created. > > http://cvs.sourceforge.net/viewcvs.py/*checkout*/openxcf/javacfx/src/ > net/sourceforge/openxcf/javacfx/ImageString.java?content- > type=text%2Fplain&rev=1.1

http://sourceforge.net/project/showfiles.php? group_id=100854&package_id=108545 -Matt On Jun 16, 2004, at 4:47 PM, Bryan F. Hogan wrote: ----- Excess quoted text cut - see Original Post for more -----

Sorry Matt, didn't see that. Thanks! Matt Liotta wrote: > http://sourceforge.net/project/showfiles.php? > group_id=100854&package_id=108545

A web service called Obfuscater.cfc with 2 methods: 1. imageType getImage(String myRandomNumber) This uses cfcontent to create an image based on the random number, pick a word to use and send it back to the browser as an image. 2. boolean validateEntry(String myRandomNumber, String userGuess) Regens the same word from part 1 with myRandomNumber  and compares the result to the userGuess and returns true or false. myRandomNumber is passed from page to page even as text since the decode logic is all kept in the validateEntry piece. Ok, ok, I've been holding off on this because I wanted to write something up about it. Here it is. 1. Find an image package that will allow you to create and write text on top of a image. 2. Create a file like below. image.cfm <cfset theImage=Your image manipulation package> <cflock timeout="2" throwontimeout="yes" name="captchaImage"> <cfset session.captchaString=yourRandomUniqueStringGoesHere> <cfset captchaString=session.captchaString> </cflock> <cfset theImage=write(session.captchaString)> <cfcontent type="image/gif" reset="true> <cfoutput>#variables.theImage#</cfoutput> 3. Include the image on your form <img src="image.cfm"> 4. Include a field the user can type into. 5. Action page check form field with session.captchaString. That's as simple as it gets. Whittingham, P wrote: > thanks...didn't know that.________________________________

And of course the spider can read that text and pass it to the validateEntry function and post to your form over, and over, and over again. Anything stored in the page can be read and posted as if it where typed in by the user. Adam Howitt wrote: ----- Excess quoted text cut - see Original Post for more -----

Read what text?  The clear text is just a one way key.  They have to provide the correct word which is never passed to the form. e.g. Pass MyRandomNumber = 1234567 to obfuscater to get an image with the word 'awwwYeah' cleverly hidden behind some garbage to make it hard to decode. Spider has no way of knowing the 'awwwYeah' piece since all the first page has is the image and the random number. submit guess 'thisIsWhack' as the guess to the cfm page Obfuscater returns false since when the second obfuscater function looks up the word for random number 1234567 it differs from the other function value so it fails. Which part of this would fail? And of course the spider can read that text and pass it to the validateEntry function and post to your form over, and over, and over again. Anything stored in the page can be read and posted as if it where typed in by the user. Adam Howitt wrote: ----- Excess quoted text cut - see Original Post for more -----

It depends on how random your number was. Because that number can be extracted and algorithms written to guess what string would be returned. And it could keep doing this over and over again. So if your number is near unique and sufficiently long such as a uuid and also be able to be converted into a string short enough to be manageable by a user. Then there is no problem with your method. However, anything that you put in the body of the code, is another clue to your algorithm behind the scenes. Remember there are a lot of smart 6 year olds out there that can easily make us look like an embryo. ;-) So long story short, if the random number is stored in the session. Then   no clues would be left. So then they would have to rely on brute force, trying to decode and guess what the string was from the image, or make a more powerful OCR system. Adam Howitt wrote: > Which part of this would fail?

It shouldn't be hard.  You don't necessarily need to create the images on the fly.  Just create a bunch of them once.  Then associate the file name with the correct answer in the DB.  Each time you display a file to the user, generate another unique id mapping the particular display to that particular user with a record from the other table that has the filename and correct answer.  Display the image to the person and hide the unique id (in session or hidden form).  Then when submitted, check that session to find out which image was passed and compare their response with the correct string.  Remove the record from the DB so they can't submit multiple times with the same info. Just my thoughts, there may be an easier way. John Whittingham, P wrote: > >   How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA' > solution. Any ideas would be appreciated. This has been posted and discussed many times since I've been on the list. I have yet to see anyone suggest specifics on how to do it though. It shouldn't be too hard to use JAI or ImageMagick or something similar though to generate an image with text using a funky font then overlay the image with another image to confuse OCR software... I think you'd store the image text in a database, and pass some kind of ID in the form as a hidden field, then on submission, look for that ID in the database and compare the text in the database to what the user typed in. Again, it's all theoretical.  Maybe someday, someone will write such a tool and share with all of us how they did it.   - Rick

Ok this is the second time I have heard someone say to pass the string in a hidden form field. DO NOT DO IT. A spider can download the html and read that string and pass that as the field. Burns, John D wrote: ----- Excess quoted text cut - see Original Post for more -----

Yes, but if that hidden form field is generated automatically and is truly unique per user, what harm is there?  Couldn't a spider just as easily pick up a session var?  After all, it has to hit the first page to "read" the image and then post, so it could do so in the same session. Another good thing might be to push all of your images down using <cfcontent> so that they all appear as "image.gif" and then it will be harder to map an image to a correct response.  However, the tax on the server of creating dynamic images for every request seems absurd. John Ok this is the second time I have heard someone say to pass the string in a hidden form field. DO NOT DO IT. A spider can download the html and read that string and pass that as the field. Burns, John D wrote: ----- Excess quoted text cut - see Original Post for more -----

Burns, John D wrote: > Yes, but if that hidden form field is generated automatically and is > truly unique per user, what harm is there? The spider can read the string and post what ever it wants to your form for that request and keep doing it over and over and over again. Couldn't a spider just as > easily pick up a session var? Now this is where I'm not 100% sure. I have been doing some research and as far as I can tell it can not. I'm open to be proven wrong. After all, it has to hit the first page > to "read" the image and then post, so it could do so in the same > session. That is only usefull if a spider can read the session. It would not even have to worry about the image if it could read the session. It could however decode your image and try and figure it out from there. But most of the time, nobody is going to spend that much time. Nothing is 100% but you make it as difficult as possible. > > Another good thing might be to push all of your images down using > <cfcontent> so that they all appear as "image.gif" and then it will be > harder to map an image to a correct response. Either way, the only way it would matter is if the spider could read the session. If it can it doesn't have to worry about the image.    However, the tax on the > server of creating dynamic images for every request seems absurd. You know how many IO operations happen in CFMX during a request? A lot, it really isn't any more taxing that displaying the image itself. For most sites, it would not even be noticable. And if it becomes, you just upgrade the server.

this is on an intranet, so I don't have worry about a spider....except ours....:) Pat Yes, but if that hidden form field is generated automatically and is truly unique per user, what harm is there?  Couldn't a spider just as easily pick up a session var?  After all, it has to hit the first page to "read" the image and then post, so it could do so in the same session. Another good thing might be to push all of your images down using <cfcontent> so that they all appear as "image.gif" and then it will be harder to map an image to a correct response.  However, the tax on the server of creating dynamic images for every request seems absurd. John Ok this is the second time I have heard someone say to pass the string in a hidden form field. DO NOT DO IT. A spider can download the html and read that string and pass that as the field. Burns, John D wrote: ----- Excess quoted text cut - see Original Post for more -----   _____  

If it's an intranet and you have proper login, etc implemented, why are you even worried about a captcha image? Whittingham, P wrote: > this is on an intranet, so I don't have worry about a spider....except > ours....:)

maybe another layer of security which might be used for internal blogs...:) Pat If it's an intranet and you have proper login, etc implemented, why are you even worried about a captcha image? Whittingham, P wrote: > this is on an intranet, so I don't have worry about a spider....except > ours....:)   _____  

Ok, I'll trust ya. ;-) Whittingham, P wrote: > maybe another layer of security which might be used for internal blogs...:)

This seems pretty simple as a concept. First, generate a set of .gif files that represent each character that can be used in a hash. a.gif A.gif b.gif etc. Then on your page, show an image and a form field <img src="randomimage.cfm"> <input type="text" name="secretcode"> in randomimage.cfm, generate a text hash. save that on your server for this session. DO NOT PASS IT TO THE BROWSER. Take that text hash and build a list of alphabet samples. Use imagemajik to build a single graphic out of the string of graphics (I do not know thie specifics of how to do this, but it should be possible) Return that combined image using CFCONTENT Once the image is used, it should not be used again anytime soon. On the submission handler page, check to see if the text field matches the session variable to see if they got the match. Jerry Johnson >>> WHITTIPG@usa-spaceops.com 06/16/04 03:54PM >>> Hi All,   How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA' solution. Any ideas would be appreciated. http://www.devx.com/dotnet/Article/21308 TIA, Patrick Whittingham United Space Alliance   _____  

Check out this posting for a Java CFX custom CAPTCHA solution from Ryan Emerle: http://www.emerle.net/comments/view.cfm/p/152 ----- Excess quoted text cut - see Original Post for more -----

> > Couldn't a spider just as easily pick up a session var? > > Now this is where I'm not 100% sure. I have been doing some > research and as far as I can tell it can not. I'm open to be > proven wrong. A spider is nothing more than another HTTP client. It can do anything that any HTTP client can do, and it can't do things that HTTP doesn't allow. So, to answer a question like this, all you have to do is ask "can I do that with a browser". If yes, then it can be done with a spider, and if no, it can't. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

Dave Watts wrote: ----- Excess quoted text cut - see Original Post for more ----- Since session variables are stored in memory on the server, the spider cannot access them.  Neither can the browser, for that matter.    - Rick

> A spider is nothing more than another HTTP client. It can do anything that > any HTTP client can do, and it can't do things that HTTP doesn't allow. So, > to answer a question like this, all you have to do is ask "can I do that > with a browser". If yes, then it can be done with a spider, and if no, it > can't. I don't remember the specifics Dave, but if I'm not mistaken, you said before that a spider could _not_ read a session var.

Hi All, After having read through everyones posts here is how I actually did it and its currently running today on a site that gets 2000 new registrations a day. BTW this will run on CF 4.5 and up: Create a Java CFX which randomly uses a True Type Font from a zip file and randomly picks 6 characters to be displayed in a JPEG file. It writes the image fiel to the filesystem so you can display it on the page. It also returns (as a coldfusion variable) the six characters that it has chosen to put in  the image. eg. <cfx_captcha ivreturnvar="ivString" jpgreturnvar="ivImg"> You then immediately hash the contents of the variable and place it in a hidden form field <input type="hidden" name="hashcode" value="#hash( ivString )#"> Then have an input box for the users to type into <input type="text" name="ivchars" value="" size="6" maxlength="6"> And finally on the page the form posts to you compare the hidden form field value 'hashcode' to the hash value of whatever the user entered. If this is the same then they entered the string correctly if( hash( form_ivchars ) EQ form_hashcode ){     success = 1; } And there you have it. I'll have a word with the powers that be and see if I can give the source code out. Please don't get your hopes up though. Adam Hope Development Team Leader Wanadoo UK PLC www.smartgroups.com     Sent: 16 June 2004 20:55   To: CF-Talk   Subject: cfmx and CAPTCHA         Hi All,           How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA' solution. Any ideas would be appreciated.         http://www.devx.com/dotnet/Article/21308      TIA,   Patrick Whittingham   United Space Alliance        _____   _____     

Aren't there a finite number of different combinations of a number between 1 and 6? And you're saving that variable to the page? If so that can be picked up and eventually guessed. Adam Hope wrote: > Create a Java CFX which randomly uses a True Type Font from a zip file > and randomly picks 6 characters to be displayed in a JPEG file. It > writes the image fiel to the filesystem so you can display it on the > page. It also returns (as a coldfusion variable) the six characters that > it has chosen to put in  the image. eg.

That was my thought.  Thus, if it can get a session, it can continue to the next page without a problem.  That's why the only way that seems feasible to me is to push an image to the client and for each request that the client makes for an image, associate that with a unique ID that you use kind of like a session. You know exactly what image you showed the user to begin with by associating that unique id to one of your images in your DB and therefore, the client must pass the appropriate unique ID (either through session or hidden form field) and the correct text from the image.  Once submitted, you clear out the record with the unique id from the database so the person can't submit multiple requests with the same unique id and image text. John > > Couldn't a spider just as easily pick up a session var? > > Now this is where I'm not 100% sure. I have been doing some research > and as far as I can tell it can not. I'm open to be proven wrong. A spider is nothing more than another HTTP client. It can do anything that any HTTP client can do, and it can't do things that HTTP doesn't allow. So, to answer a question like this, all you have to do is ask "can I do that with a browser". If yes, then it can be done with a spider, and if no, it can't. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

Bryan, I don't think he's saying that the spider can _read_ the session var, but if you set one and it is passed to the next page, the spider will have it and then all it needs to do is figure out the image. John > A spider is nothing more than another HTTP client. It can do anything > that any HTTP client can do, and it can't do things that HTTP doesn't > allow. So, to answer a question like this, all you have to do is ask > "can I do that with a browser". If yes, then it can be done with a > spider, and if no, it can't. I don't remember the specifics Dave, but if I'm not mistaken, you said before that a spider could _not_ read a session var.

A session value passes in a HTTP header? Burns, John D wrote: > I don't think he's saying that the spider can _read_ the session var, > but if you set one and it is passed to the next page, the spider will > have it and then all it needs to do is figure out the image.

> A session value passes in a HTTP header? If you use cookies as your session storage, yes. -- Tom Chiverton Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: tom.chiverton@bluefinger.com BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.***

Since when can you store the session in anything other than memory? It's client variables that you can change the storage mechanism for. Thomas Chiverton wrote: > If you use cookies as your session storage, yes.

----- Excess quoted text cut - see Original Post for more ----- That's correct. Neither can a browser. All a browser can do is send identifying tokens like cookies or URL variables back to the server, which can then read Session variables and use them within the program that generates the response to the browser's request. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

Good, just making sure that I haven't been making myself sound like an a** > That's correct. Neither can a browser. All a browser can do is send > identifying tokens like cookies or URL variables back to the server, which > can then read Session variables and use them within the program that > generates the response to the browser's request.

I'm not saying it ever receives that variable.  However, CF somehow associates that session with that client, therefore, the spider appears to be a valid client.  Once it has the session, what keeps it from posting a million times on that session?  CF has to set something on the client (cookie or token or something) to keep the session alive, and couldn't the browser/spider spoof that? John A session value passes in a HTTP header? Burns, John D wrote: > I don't think he's saying that the spider can _read_ the session var, > but if you set one and it is passed to the next page, the spider will > have it and then all it needs to do is figure out the image.

CFID and CFTOKEN are stored for that session. CF maps that internally to the to retrieve the session. Even if the spider read the CFID and CFTOKEN values, there is no way it could then tell CF to try and map it to retrieve the session. And even if it could, it couldn' read the value of the session var. Burns, John D wrote: > I'm not saying it ever receives that variable.  However, CF somehow > associates that session with that client, therefore, the spider appears > to be a valid client.  Once it has the session, what keeps it from > posting a million times on that session?  CF has to set something on the > client (cookie or token or something) to keep the session alive, and > couldn't the browser/spider spoof that?

AFAIK you can use cookies for client staorage but not for session storage ----- Excess quoted text cut - see Original Post for more -----

> AFAIK you can use cookies for client staorage but not for session > storage :blaims liquid lunch and goes back to the corner :-) -- Tom Chiverton Advanced ColdFusion Programmer Tel: +44(0)1749 834997 email: tom.chiverton@bluefinger.com BlueFinger Limited Underwood Business Park Wookey Hole Road, WELLS. BA5 1AF Tel: +44 (0)1749 834900 Fax: +44 (0)1749 834901 web: www.bluefinger.com Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple Quay, BRISTOL. BS1 6EG. *** This E-mail contains confidential information for the addressee only. If you are not the intended recipient, please notify us immediately. You should not use, disclose, distribute or copy this communication if received in error. No binding contract will result from this e-mail until such time as a written document is signed on behalf of the company. BlueFinger Limited cannot accept responsibility for the completeness or accuracy of this message as it has been transmitted over public networks.***

Right, but what I'm saying is that once it has the cfid and cftoken, couldn't it loop over a url passing possible texts for the image (thus keeping the same session) John CFID and CFTOKEN are stored for that session. CF maps that internally to the to retrieve the session. Even if the spider read the CFID and CFTOKEN values, there is no way it could then tell CF to try and map it to retrieve the session. And even if it could, it couldn' read the value of the session var. Burns, John D wrote: > I'm not saying it ever receives that variable.  However, CF somehow > associates that session with that client, therefore, the spider > appears to be a valid client.  Once it has the session, what keeps it > from posting a million times on that session?  CF has to set something > on the client (cookie or token or something) to keep the session > alive, and couldn't the browser/spider spoof that?

It could loop over the URL. But if the string for the image is stored in the session and compiled into the image, the only way it could figure it out would to be use brute force (guessing over and over again), decompiling the image and trying to read what is the text, or using OCR. 1 and 2 are over complicated for most people, and OCR would be difficult if you chose a good image with a good text format on it. None are fool proof. But mine and Ryan's idea is the best bet for most situations. You just have to have a good string and a good background image. Burns, John D wrote: > Right, but what I'm saying is that once it has the cfid and cftoken, > couldn't it loop over a url passing possible texts for the image (thus > keeping the same session)

Well, I'm just trying to figure out why it wouldn't be easier to have a unique string passed with each request that is also tied to the correct "answer" for the image.  That way, the spider could not post multiple times with the same unique string.  It just seems like that would even rule out the brute force attempt. John It could loop over the URL. But if the string for the image is stored in the session and compiled into the image, the only way it could figure it out would to be use brute force (guessing over and over again), decompiling the image and trying to read what is the text, or using OCR. 1 and 2 are over complicated for most people, and OCR would be difficult if you chose a good image with a good text format on it. None are fool proof. But mine and Ryan's idea is the best bet for most situations. You just have to have a good string and a good background image. Burns, John D wrote: > Right, but what I'm saying is that once it has the cfid and cftoken, > couldn't it loop over a url passing possible texts for the image (thus > keeping the same session)

Burns, John D wrote: > Well, I'm just trying to figure out why it wouldn't be easier to have a > unique string passed with each request that is also tied to the correct > "answer" for the image.   There is nothing wrong with that if you store it in the session. That way, the spider could not post multiple > times with the same unique string.  It just seems like that would even > rule out the brute force attempt. You can do that by setting another session var that only allows them to post within a certain time period on a certain form.

> I'm not saying it ever receives that variable. However, > CF somehow associates that session with that client, > therefore, the spider appears to be a valid client. I would go a step farther and say that it is a valid client. There's no difference between one HTTP client and another, from the web server's perspective, beyond the User-Agent string that each client sends to identify itself. > Once it has the session, what keeps it from posting a > million times on that session?   Your code would have to prevent this, if you didn't want it to be a possibility. > CF has to set something on the client (cookie or token or > something) to keep the session alive, and couldn't the > browser/spider spoof that? If by "spoof", you mean that one HTTP client could send a token that belonged to another HTTP client, yes. If one HTTP client simply returns the same token it received, it's not spoofing anything, whether it's a spider or a browser. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

Hi Bryan, We are using letters not numbers. Yes it can be guessed. As can everything. Ever heard of the RC5 challenge? With enough time and processing power even the simplest CAPTCHA can be guessed. But that is not that point. The point is to prevent a bot spider/bot from creating accounts automatically. Which the solution I provided does perfectly well and is in active use today. I hope someone finds the solution helpful. A note on the other proposed solutions: Session variables are useless on clustered servers (no lectures on sticky sessions please they are a waste of time) and cookies are useless if the client blocks them. Adam.     Sent: 17 June 2004 14:23   To: CF-Talk   Subject: Re: cfmx and CAPTCHA         Aren't there a finite number of different combinations of a number   between 1 and 6? And you're saving that variable to the page? If so that   can be picked up and eventually guessed.      Adam Hope wrote:      > Create a Java CFX which randomly uses a True Type Font from a zip file   > and randomly picks 6 characters to be displayed in a JPEG file. It   > writes the image fiel to the filesystem so you can display it on the   > page. It also returns (as a coldfusion variable) the six characters that   > it has chosen to put in  the image. eg. This email and the files transmitted with it are meant solely for the use of the individual addressee(s) named above. They may contain confidential and/or legally privileged information. If you are not the addressee(s) or responsible for delivery of the message to the addressee(s), please delete it from your system and contact the sender right away. The opinions, conclusions and other information in this message which do not relate to the official business of Wanadoo UK plc are not necessarily endorsed by it. Wanadoo UK plc has taken steps to ensure that this email and any attachments are virus-free, but it remains your responsibility to confirm and ensure this.   Wanadoo UK plc is a subsidiary of Wanadoo SA. Our registered office is at: Maylands Avenue, Hemel Hempstead, Herts, HP2 7TG, and we are registered in England and Wales, as Company No. 3014367

> Session variables are useless on clustered servers (no > lectures on sticky sessions please they are a waste of > time) I won't lecture you, but I would like to point out that you can share Session variables across cluster members using CFMX on Jrun, although you can't use CFC instances within the Session scope that way. Also, I would disagree that sticky sessions are a "waste of time". If your primary goal for clustering is simply to add throughput, there's nothing wrong with using sticky sessions. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

Hey Dave, feel free to lecture, I've learned from you before:  why don't CFC instances go across cluster members?  I imagine it'd probably be self-evident if I knew anything about the mechanics of session sharing across JRun, but I don't. Thanks, Joe     Sent: Fri 6/18/2004 8:34 AM   To: CF-Talk   Cc:   Subject: RE: cfmx and CAPTCHA         > Session variables are useless on clustered servers (no   > lectures on sticky sessions please they are a waste of   > time)      I won't lecture you, but I would like to point out that you can share   Session variables across cluster members using CFMX on Jrun, although you   can't use CFC instances within the Session scope that way. Also, I would   disagree that sticky sessions are a "waste of time". If your primary goal   for clustering is simply to add throughput, there's nothing wrong with using   sticky sessions.      Dave Watts, CTO, Fig Leaf Software   http://www.figleaf.com/   phone: 202-797-5496   fax: 202-797-5444   _____     

> why don't CFC instances go across cluster members? I don't really know why they don't, just that they don't. I suspect that JRun has some sort of serializer to write its own session variables to strings, and that this serializer doesn't know what to do with CFC instances, but I really don't know for certain. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444

Apparently Blue dragon can but I haven't tried it ;-) KOla > why don't CFC instances go across cluster members? I don't really know why they don't, just that they don't. I suspect that JRun has some sort of serializer to write its own session variables to strings, and that this serializer doesn't know what to do with CFC instances, but I really don't know for certain. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ phone: 202-797-5496 fax: 202-797-5444   _____  

1) Hi Joe! 2) I talked to Ben Forta when he came to the DC WAMMO meeting about the CFCs being replicated across clustered servers.  His answer, in a nutshell was that they didn't have the time to do it.  He also indicated that there was a good chance that it would be supported in the future.  However, I know nothing about blackstone. Doug Hughes (Check out my ColdFusion Image Manipulation CFC at http://www.alagad.com/index.cfm/name-aic) ----- Excess quoted text cut - see Original Post for more -----

Doug, Any break on your Image Manipulation CFC for fellow CF-Talkers?  Just figured I'd ask :-) John 1) Hi Joe! 2) I talked to Ben Forta when he came to the DC WAMMO meeting about the CFCs being replicated across clustered servers.  His answer, in a nutshell was that they didn't have the time to do it.  He also indicated that there was a good chance that it would be supported in the future. However, I know nothing about blackstone. Doug Hughes (Check out my ColdFusion Image Manipulation CFC at http://www.alagad.com/index.cfm/name-aic) ----- Excess quoted text cut - see Original Post for more -----

Still working on it - :-) ====================================== Our Anti-spam solution works!! http://www.clickdoug.com/mailfilter.cfm For hosting solutions http://www.clickdoug.com http://www.forta.com/cf/isp/isp.cfm?isp_id=1069 ======================================   Doug,   Any break on your Image Manipulation CFC for fellow CF-Talkers?  Just   figured I'd ask :-)   John   1) Hi Joe!   2) I talked to Ben Forta when he came to the DC WAMMO meeting about the   CFCs being replicated across clustered servers.  His answer, in a   nutshell was that they didn't have the time to do it.  He also indicated   that there was a good chance that it would be supported in the future.   However, I know nothing about blackstone.   Doug Hughes   (Check out my ColdFusion Image Manipulation CFC at   http://www.alagad.com/index.cfm/name-aic)      >   > Apparently Blue dragon can but I haven't tried it ;-)   >   > KOla   >   > > why don't CFC instances go across cluster members?   >   > I don't really know why they don't, just that they don't. I suspect   > that JRun has some sort of serializer to write its own session   > variables to strings, and that this serializer doesn't know what to do   > with CFC instances, but I really don't know for certain.   >   > Dave Watts, CTO, Fig Leaf Software   > http://www.figleaf.com/   > phone: 202-797-5496   > fax: 202-797-5444   >  _____   >   >

Sure,  I'd be happy to offer 20% off the $50 license to anyone at all though June 31st.  Send me an email via the Contact Us form on alagad.com and I'll hook you up. Doug Hughes ----- Excess quoted text cut - see Original Post for more -----