Home of the ColdFusion Community
|
Mailing Lists
|
Home /
Groups /
ColdFusion Talk (CF-Talk)
ColdFusion MX and CAPTCHA
Author: Doug Hughes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167582
Sure, I'd be happy to offer 20% off the $50 license to anyone at all
though June 31st. Send me an email via the Contact Us form on
alagad.com and I'll hook you up.
Doug Hughes
----- Excess quoted text cut - see Original Post for more -----
Author: Doug White
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167493
Still working on it - :-)
======================================
Our Anti-spam solution works!!
http://www.clickdoug.com/mailfilter.cfm
For hosting solutions http://www.clickdoug.com
http://www.forta.com/cf/isp/isp.cfm?isp_id=1069
======================================
Doug,
Any break on your Image Manipulation CFC for fellow CF-Talkers? Just
figured I'd ask :-)
John
1) Hi Joe!
2) I talked to Ben Forta when he came to the DC WAMMO meeting about the
CFCs being replicated across clustered servers. His answer, in a
nutshell was that they didn't have the time to do it. He also indicated
that there was a good chance that it would be supported in the future.
However, I know nothing about blackstone.
Doug Hughes
(Check out my ColdFusion Image Manipulation CFC at
http://www.alagad.com/index.cfm/name-aic)
>
> Apparently Blue dragon can but I haven't tried it ;-)
>
> KOla
>
> > why don't CFC instances go across cluster members?
>
> I don't really know why they don't, just that they don't. I suspect
> that JRun has some sort of serializer to write its own session
> variables to strings, and that this serializer doesn't know what to do
> with CFC instances, but I really don't know for certain.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> phone: 202-797-5496
> fax: 202-797-5444
> _____
>
>
Author: Burns, John D
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167492
Doug,
Any break on your Image Manipulation CFC for fellow CF-Talkers? Just
figured I'd ask :-)
John
1) Hi Joe!
2) I talked to Ben Forta when he came to the DC WAMMO meeting about the
CFCs being replicated across clustered servers. His answer, in a
nutshell was that they didn't have the time to do it. He also indicated
that there was a good chance that it would be supported in the future.
However, I know nothing about blackstone.
Doug Hughes
(Check out my ColdFusion Image Manipulation CFC at
http://www.alagad.com/index.cfm/name-aic)
----- Excess quoted text cut - see Original Post for more -----
Author: Doug Hughes
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167466
1) Hi Joe!
2) I talked to Ben Forta when he came to the DC WAMMO meeting about
the CFCs being replicated across clustered servers. His answer, in a
nutshell was that they didn't have the time to do it. He also
indicated that there was a good chance that it would be supported in
the future. However, I know nothing about blackstone.
Doug Hughes
(Check out my ColdFusion Image Manipulation CFC at
http://www.alagad.com/index.cfm/name-aic)
----- Excess quoted text cut - see Original Post for more -----
Author: Kola Oyedeji
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167284
Apparently Blue dragon can but I haven't tried it ;-)
KOla
> why don't CFC instances go across cluster members?
I don't really know why they don't, just that they don't. I suspect that
JRun has some sort of serializer to write its own session variables to
strings, and that this serializer doesn't know what to do with CFC
instances, but I really don't know for certain.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
_____
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167214
> why don't CFC instances go across cluster members?
I don't really know why they don't, just that they don't. I suspect that
JRun has some sort of serializer to write its own session variables to
strings, and that this serializer doesn't know what to do with CFC
instances, but I really don't know for certain.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Joe Rinehart
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167213
Hey Dave, feel free to lecture, I've learned from you before: why don't CFC
instances go across cluster members? I imagine it'd probably be self-evident if
I knew anything about the mechanics of session sharing across JRun, but I don't.
Thanks,
Joe
Sent: Fri 6/18/2004 8:34 AM
To: CF-Talk
Cc:
Subject: RE: cfmx and CAPTCHA
> Session variables are useless on clustered servers (no
> lectures on sticky sessions please they are a waste of
> time)
I won't lecture you, but I would like to point out that you can share
Session variables across cluster members using CFMX on Jrun, although you
can't use CFC instances within the Session scope that way. Also, I would
disagree that sticky sessions are a "waste of time". If your primary goal
for clustering is simply to add throughput, there's nothing wrong with using
sticky sessions.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
_____
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167210
> Session variables are useless on clustered servers (no
> lectures on sticky sessions please they are a waste of
> time)
I won't lecture you, but I would like to point out that you can share
Session variables across cluster members using CFMX on Jrun, although you
can't use CFC instances within the Session scope that way. Also, I would
disagree that sticky sessions are a "waste of time". If your primary goal
for clustering is simply to add throughput, there's nothing wrong with using
sticky sessions.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Adam Hope
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167187
Hi Bryan,
We are using letters not numbers. Yes it can be guessed. As can
everything. Ever heard of the RC5 challenge? With enough time and
processing power even the simplest CAPTCHA can be guessed. But that is
not that point. The point is to prevent a bot spider/bot from creating
accounts automatically. Which the solution I provided does perfectly
well and is in active use today.
I hope someone finds the solution helpful.
A note on the other proposed solutions:
Session variables are useless on clustered servers (no lectures on
sticky sessions please they are a waste of time) and cookies are useless
if the client blocks them.
Adam.
Sent: 17 June 2004 14:23
To: CF-Talk
Subject: Re: cfmx and CAPTCHA
Aren't there a finite number of different combinations of a
number
between 1 and 6? And you're saving that variable to the page? If
so that
can be picked up and eventually guessed.
Adam Hope wrote:
> Create a Java CFX which randomly uses a True Type Font from a
zip file
> and randomly picks 6 characters to be displayed in a JPEG
file. It
> writes the image fiel to the filesystem so you can display it
on the
> page. It also returns (as a coldfusion variable) the six
characters that
> it has chosen to put in the image. eg.
This email and the files transmitted with it are meant solely for the use of the
individual addressee(s) named above. They may contain confidential and/or legally
privileged information. If you are not the addressee(s) or responsible for
delivery of the message to the addressee(s), please delete it from your system
and contact the sender right away. The opinions, conclusions and other
information in this message which do not relate to the official business of
Wanadoo UK plc are not necessarily endorsed by it. Wanadoo UK plc has taken steps
to ensure that this email and any attachments are virus-free, but it remains your
responsibility to confirm and ensure this.
Wanadoo UK plc is a subsidiary of Wanadoo SA. Our registered office is at:
Maylands Avenue, Hemel Hempstead, Herts, HP2 7TG, and we are registered in
England and Wales, as Company No. 3014367
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167140
Ryan, anyway we can change the background image with your tag?
Ryan Emerle wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167109
> I'm not saying it ever receives that variable. However,
> CF somehow associates that session with that client,
> therefore, the spider appears to be a valid client.
I would go a step farther and say that it is a valid client. There's no
difference between one HTTP client and another, from the web server's
perspective, beyond the User-Agent string that each client sends to identify
itself.
> Once it has the session, what keeps it from posting a
> million times on that session?
Your code would have to prevent this, if you didn't want it to be a
possibility.
> CF has to set something on the client (cookie or token or
> something) to keep the session alive, and couldn't the
> browser/spider spoof that?
If by "spoof", you mean that one HTTP client could send a token that
belonged to another HTTP client, yes. If one HTTP client simply returns the
same token it received, it's not spoofing anything, whether it's a spider or
a browser.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167088
Burns, John D wrote:
> Well, I'm just trying to figure out why it wouldn't be easier to have a
> unique string passed with each request that is also tied to the correct
> "answer" for the image.
There is nothing wrong with that if you store it in the session.
That way, the spider could not post multiple
> times with the same unique string. It just seems like that would even
> rule out the brute force attempt.
You can do that by setting another session var that only allows them to
post within a certain time period on a certain form.
Author: Burns, John D
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167074
Well, I'm just trying to figure out why it wouldn't be easier to have a
unique string passed with each request that is also tied to the correct
"answer" for the image. That way, the spider could not post multiple
times with the same unique string. It just seems like that would even
rule out the brute force attempt.
John
It could loop over the URL. But if the string for the image is stored in
the session and compiled into the image, the only way it could figure it
out would to be use brute force (guessing over and over again),
decompiling the image and trying to read what is the text, or using OCR.
1 and 2 are over complicated for most people, and OCR would be difficult
if you chose a good image with a good text format on it.
None are fool proof. But mine and Ryan's idea is the best bet for most
situations. You just have to have a good string and a good background
image.
Burns, John D wrote:
> Right, but what I'm saying is that once it has the cfid and cftoken,
> couldn't it loop over a url passing possible texts for the image (thus
> keeping the same session)
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167070
It could loop over the URL. But if the string for the image is stored in
the session and compiled into the image, the only way it could figure it
out would to be use brute force (guessing over and over again),
decompiling the image and trying to read what is the text, or using OCR.
1 and 2 are over complicated for most people, and OCR would be difficult
if you chose a good image with a good text format on it.
None are fool proof. But mine and Ryan's idea is the best bet for most
situations. You just have to have a good string and a good background image.
Burns, John D wrote:
> Right, but what I'm saying is that once it has the cfid and cftoken,
> couldn't it loop over a url passing possible texts for the image (thus
> keeping the same session)
Author: Burns, John D
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167067
Right, but what I'm saying is that once it has the cfid and cftoken,
couldn't it loop over a url passing possible texts for the image (thus
keeping the same session)
John
CFID and CFTOKEN are stored for that session. CF maps that internally to
the to retrieve the session.
Even if the spider read the CFID and CFTOKEN values, there is no way it
could then tell CF to try and map it to retrieve the session. And even
if it could, it couldn' read the value of the session var.
Burns, John D wrote:
> I'm not saying it ever receives that variable. However, CF somehow
> associates that session with that client, therefore, the spider
> appears to be a valid client. Once it has the session, what keeps it
> from posting a million times on that session? CF has to set something
> on the client (cookie or token or something) to keep the session
> alive, and couldn't the browser/spider spoof that?
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167065
CFID and CFTOKEN are stored for that session. CF maps that internally to
the to retrieve the session.
Even if the spider read the CFID and CFTOKEN values, there is no way it
could then tell CF to try and map it to retrieve the session. And even
if it could, it couldn' read the value of the session var.
Burns, John D wrote:
> I'm not saying it ever receives that variable. However, CF somehow
> associates that session with that client, therefore, the spider appears
> to be a valid client. Once it has the session, what keeps it from
> posting a million times on that session? CF has to set something on the
> client (cookie or token or something) to keep the session alive, and
> couldn't the browser/spider spoof that?
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167064
Since when can you store the session in anything other than memory?
It's client variables that you can change the storage mechanism for.
Thomas Chiverton wrote:
> If you use cookies as your session storage, yes.
Author: Thomas Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167063
> AFAIK you can use cookies for client staorage but not for session
> storage
:blaims liquid lunch and goes back to the corner :-)
--
Tom Chiverton
Advanced ColdFusion Programmer
Tel: +44(0)1749 834997
email: tom.chiverton@bluefinger.com
BlueFinger Limited
Underwood Business Park
Wookey Hole Road, WELLS. BA5 1AF
Tel: +44 (0)1749 834900
Fax: +44 (0)1749 834901
web: www.bluefinger.com
Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple
Quay, BRISTOL. BS1 6EG.
*** This E-mail contains confidential information for the addressee
only. If you are not the intended recipient, please notify us
immediately. You should not use, disclose, distribute or copy this
communication if received in error. No binding contract will result from
this e-mail until such time as a written document is signed on behalf of
the company. BlueFinger Limited cannot accept responsibility for the
completeness or accuracy of this message as it has been transmitted over
public networks.***
Author: Pascal Peters
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167061
AFAIK you can use cookies for client staorage but not for session
storage
----- Excess quoted text cut - see Original Post for more -----
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167059
Good, just making sure that I haven't been making myself sound like an a**
> That's correct. Neither can a browser. All a browser can do is send
> identifying tokens like cookies or URL variables back to the server, which
> can then read Session variables and use them within the program that
> generates the response to the browser's request.
Author: Burns, John D
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167060
I'm not saying it ever receives that variable. However, CF somehow
associates that session with that client, therefore, the spider appears
to be a valid client. Once it has the session, what keeps it from
posting a million times on that session? CF has to set something on the
client (cookie or token or something) to keep the session alive, and
couldn't the browser/spider spoof that?
John
A session value passes in a HTTP header?
Burns, John D wrote:
> I don't think he's saying that the spider can _read_ the session var,
> but if you set one and it is passed to the next page, the spider will
> have it and then all it needs to do is figure out the image.
Author: Thomas Chiverton
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167058
> A session value passes in a HTTP header?
If you use cookies as your session storage, yes.
--
Tom Chiverton
Advanced ColdFusion Programmer
Tel: +44(0)1749 834997
email: tom.chiverton@bluefinger.com
BlueFinger Limited
Underwood Business Park
Wookey Hole Road, WELLS. BA5 1AF
Tel: +44 (0)1749 834900
Fax: +44 (0)1749 834901
web: www.bluefinger.com
Company Reg No: 4209395 Registered Office: 2 Temple Back East, Temple
Quay, BRISTOL. BS1 6EG.
*** This E-mail contains confidential information for the addressee
only. If you are not the intended recipient, please notify us
immediately. You should not use, disclose, distribute or copy this
communication if received in error. No binding contract will result from
this e-mail until such time as a written document is signed on behalf of
the company. BlueFinger Limited cannot accept responsibility for the
completeness or accuracy of this message as it has been transmitted over
public networks.***
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167055
I like yours Ryan. I would try and make the key a little stronger.
Ryan Emerle wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167056
----- Excess quoted text cut - see Original Post for more -----
That's correct. Neither can a browser. All a browser can do is send
identifying tokens like cookies or URL variables back to the server, which
can then read Session variables and use them within the program that
generates the response to the browser's request.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167053
A session value passes in a HTTP header?
Burns, John D wrote:
> I don't think he's saying that the spider can _read_ the session var,
> but if you set one and it is passed to the next page, the spider will
> have it and then all it needs to do is figure out the image.
Author: Ryan Emerle
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167051
I have posted the tag i created on my site. You can grab a copy from here:
http://www.emerle.net/programming/display.cfm/t/cfx_captcha
Included is an example file which shows how you can use session variables.
Basically, the example file will act as an image. You simply add an
IMG tag pointing to that file:
<img src="./images/validation/validate.cfm">
And it will serve up the generated image with CFCONTENT right after it
sets the session variable. All you have to do is check the posted
value against the session value. Of course, you will have to watch
out for session timeouts.. :)
It's not fool-proof, but it gets the job done.. :)
-Ryan
Hi All,
How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA'
solution. Any ideas would be appreciated.
http://www.devx.com/dotnet/Article/21308
TIA,
Patrick Whittingham
United Space Alliance
_____________________________________
Author: Burns, John D
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167049
Bryan,
I don't think he's saying that the spider can _read_ the session var,
but if you set one and it is passed to the next page, the spider will
have it and then all it needs to do is figure out the image.
John
> A spider is nothing more than another HTTP client. It can do anything
> that any HTTP client can do, and it can't do things that HTTP doesn't
> allow. So, to answer a question like this, all you have to do is ask
> "can I do that with a browser". If yes, then it can be done with a
> spider, and if no, it can't.
I don't remember the specifics Dave, but if I'm not mistaken, you said
before that a spider could _not_ read a session var.
Author: Burns, John D
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167047
That was my thought. Thus, if it can get a session, it can continue to
the next page without a problem. That's why the only way that seems
feasible to me is to push an image to the client and for each request
that the client makes for an image, associate that with a unique ID that
you use kind of like a session. You know exactly what image you showed
the user to begin with by associating that unique id to one of your
images in your DB and therefore, the client must pass the appropriate
unique ID (either through session or hidden form field) and the correct
text from the image. Once submitted, you clear out the record with the
unique id from the database so the person can't submit multiple requests
with the same unique id and image text.
John
> > Couldn't a spider just as easily pick up a session var?
>
> Now this is where I'm not 100% sure. I have been doing some research
> and as far as I can tell it can not. I'm open to be proven wrong.
A spider is nothing more than another HTTP client. It can do anything
that any HTTP client can do, and it can't do things that HTTP doesn't
allow. So, to answer a question like this, all you have to do is ask
"can I do that with a browser". If yes, then it can be done with a
spider, and if no, it can't.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167042
Aren't there a finite number of different combinations of a number
between 1 and 6? And you're saving that variable to the page? If so that
can be picked up and eventually guessed.
Adam Hope wrote:
> Create a Java CFX which randomly uses a True Type Font from a zip file
> and randomly picks 6 characters to be displayed in a JPEG file. It
> writes the image fiel to the filesystem so you can display it on the
> page. It also returns (as a coldfusion variable) the six characters that
> it has chosen to put in the image. eg.
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167041
> A spider is nothing more than another HTTP client. It can do anything that
> any HTTP client can do, and it can't do things that HTTP doesn't allow. So,
> to answer a question like this, all you have to do is ask "can I do that
> with a browser". If yes, then it can be done with a spider, and if no, it
> can't.
I don't remember the specifics Dave, but if I'm not mistaken, you said
before that a spider could _not_ read a session var.
Author: Adam Hope
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#167011
Hi All,
After having read through everyones posts here is how I actually did it
and its currently running today on a site that gets 2000 new
registrations a day. BTW this will run on CF 4.5 and up:
Create a Java CFX which randomly uses a True Type Font from a zip file
and randomly picks 6 characters to be displayed in a JPEG file. It
writes the image fiel to the filesystem so you can display it on the
page. It also returns (as a coldfusion variable) the six characters that
it has chosen to put in the image. eg.
<cfx_captcha ivreturnvar="ivString" jpgreturnvar="ivImg">
You then immediately hash the contents of the variable and place it in a
hidden form field
<input type="hidden" name="hashcode" value="#hash( ivString )#">
Then have an input box for the users to type into
<input type="text" name="ivchars" value="" size="6" maxlength="6">
And finally on the page the form posts to you compare the hidden form
field value 'hashcode' to the hash value of whatever the user entered.
If this is the same then they entered the string correctly
if( hash( form_ivchars ) EQ form_hashcode ){
success = 1;
}
And there you have it. I'll have a word with the powers that be and see
if I can give the source code out. Please don't get your hopes up
though.
Adam Hope
Development Team Leader
Wanadoo UK PLC
www.smartgroups.com
Sent: 16 June 2004 20:55
To: CF-Talk
Subject: cfmx and CAPTCHA
Hi All,
How would one provide a cfmx-only solution (no .Net) for a
'CAPTCHA' solution. Any ideas would be appreciated.
http://www.devx.com/dotnet/Article/21308
TIA,
Patrick Whittingham
United Space Alliance
_____
_____
Author: Rick Root
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166992
Dave Watts wrote:
----- Excess quoted text cut - see Original Post for more -----
Since session variables are stored in memory on the server, the spider
cannot access them. Neither can the browser, for that matter.
- Rick
Author: Matthew Fusfield
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166993
Take a look here: http://www.emerle.net/comments/view.cfm/p/152
Hi All,
How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA'
solution. Any ideas would be appreciated.
http://www.devx.com/dotnet/Article/21308
TIA,
Patrick Whittingham
United Space Alliance
_____________________________________
Author: Dave Watts
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166985
> > Couldn't a spider just as easily pick up a session var?
>
> Now this is where I'm not 100% sure. I have been doing some
> research and as far as I can tell it can not. I'm open to be
> proven wrong.
A spider is nothing more than another HTTP client. It can do anything that
any HTTP client can do, and it can't do things that HTTP doesn't allow. So,
to answer a question like this, all you have to do is ask "can I do that
with a browser". If yes, then it can be done with a spider, and if no, it
can't.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
phone: 202-797-5496
fax: 202-797-5444
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166980
It depends on how random your number was. Because that number can be
extracted and algorithms written to guess what string would be returned.
And it could keep doing this over and over again.
So if your number is near unique and sufficiently long such as a uuid
and also be able to be converted into a string short enough to be
manageable by a user. Then there is no problem with your method.
However, anything that you put in the body of the code, is another clue
to your algorithm behind the scenes. Remember there are a lot of smart 6
year olds out there that can easily make us look like an embryo. ;-)
So long story short, if the random number is stored in the session. Then
no clues would be left. So then they would have to rely on brute
force, trying to decode and guess what the string was from the image, or
make a more powerful OCR system.
Adam Howitt wrote:
> Which part of this would fail?
Author: Adam Howitt
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166977
Read what text? The clear text is just a one way key. They have to
provide the correct word which is never passed to the form.
e.g.
Pass MyRandomNumber = 1234567 to obfuscater to get an image with the
word 'awwwYeah' cleverly hidden behind some garbage to make it hard to
decode.
Spider has no way of knowing the 'awwwYeah' piece since all the first
page has is the image and the random number.
submit guess 'thisIsWhack' as the guess to the cfm page
Obfuscater returns false since when the second obfuscater function
looks up the word for random number 1234567 it differs from the other
function value so it fails.
Which part of this would fail?
And of course the spider can read that text and pass it to the
validateEntry function and post to your form over, and over, and over again.
Anything stored in the page can be read and posted as if it where typed
in by the user.
Adam Howitt wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Steven Erat
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166976
Check out this posting for a Java CFX custom CAPTCHA solution from Ryan
Emerle:
http://www.emerle.net/comments/view.cfm/p/152
----- Excess quoted text cut - see Original Post for more
-----
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166973
Sorry Matt, didn't see that. Thanks!
Matt Liotta wrote:
> http://sourceforge.net/project/showfiles.php?
>
group_id=100854&package_id=108545
Author: Matt Liotta
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166972
http://sourceforge.net/project/showfiles.php?
group_id=100854&package_id=108545
-Matt
On Jun 16, 2004, at 4:47 PM, Bryan F. Hogan wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166970
And of course the spider can read that text and pass it to the
validateEntry function and post to your form over, and over, and over again.
Anything stored in the page can be read and posted as if it where typed
in by the user.
Adam Howitt wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Adam Howitt
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166969
A web service called Obfuscater.cfc with 2 methods:
1. imageType getImage(String myRandomNumber)
This uses cfcontent to create an image based on the random number,
pick a word to use and send it back to the browser as an image.
2. boolean validateEntry(String myRandomNumber, String userGuess)
Regens the same word from part 1 with myRandomNumber and compares the
result to the userGuess and returns true or false.
myRandomNumber is passed from page to page even as text since the
decode logic is all kept in the validateEntry piece.
Ok, ok, I've been holding off on this because I wanted to write
something up about it. Here it is.
1. Find an image package that will allow you to create and write text on
top of a image.
2. Create a file like below.
image.cfm
<cfset theImage=Your image manipulation package>
<cflock timeout="2" throwontimeout="yes" name="captchaImage">
<cfset session.captchaString=yourRandomUniqueStringGoesHere>
<cfset captchaString=session.captchaString>
</cflock>
<cfset theImage=write(session.captchaString)>
<cfcontent type="image/gif" reset="true>
<cfoutput>#variables.theImage#</cfoutput>
3. Include the image on your form
<img src="image.cfm">
4. Include a field the user can type into.
5. Action page check form field with session.captchaString.
That's as simple as it gets.
Whittingham, P wrote:
> thanks...didn't know that.________________________________
Author: Jerry Johnson
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166968
This seems pretty simple as a concept.
First, generate a set of .gif files that represent each character that can be
used in a hash.
a.gif
A.gif
b.gif
etc.
Then on your page, show an image and a form field
<img src="randomimage.cfm">
<input type="text" name="secretcode">
in randomimage.cfm, generate a text hash. save that on your server for this
session. DO NOT PASS IT TO THE BROWSER.
Take that text hash and build a list of alphabet samples.
Use imagemajik to build a single graphic out of the string of graphics (I do not
know thie specifics of how to do this, but it should be possible)
Return that combined image using CFCONTENT
Once the image is used, it should not be used again anytime soon.
On the submission handler page, check to see if the text field matches the
session variable to see if they got the match.
Jerry Johnson
>>> WHITTIPG@usa-spaceops.com 06/16/04 03:54PM >>>
Hi All,
How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA' solution.
Any ideas would be appreciated.
http://www.devx.com/dotnet/Article/21308
TIA,
Patrick Whittingham
United Space Alliance
_____
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166966
Ok, I'll trust ya. ;-)
Whittingham, P wrote:
> maybe another layer of security which might be used for internal blogs...:)
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166965
p.s. Matt's code here is what I use. It would be nice if Matt could
compile it so for someone writing up the steps involved with building a
CAPTCHA implementation, doesn't have to trust that someone will know how
to compile Java. ;-)
Matt Liotta wrote:
> The code needed to produce an image from a string has already been
> created.
>
> http://cvs.sourceforge.net/viewcvs.py/*checkout*/openxcf/javacfx/src/
> net/sourceforge/openxcf/javacfx/ImageString.java?content-
>
type=text%2Fplain&rev=1.1
Author: Whittingham, P
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166964
maybe another layer of security which might be used for internal blogs...:)
Pat
If it's an intranet and you have proper login, etc implemented, why are
you even worried about a captcha image?
Whittingham, P wrote:
> this is on an intranet, so I don't have worry about a spider....except
> ours....:)
_____
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166962
If it's an intranet and you have proper login, etc implemented, why are
you even worried about a captcha image?
Whittingham, P wrote:
> this is on an intranet, so I don't have worry about a spider....except
> ours....:)
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166961
Burns, John D wrote:
> Yes, but if that hidden form field is generated automatically and is
> truly unique per user, what harm is there?
The spider can read the string and post what ever it wants to your form
for that request and keep doing it over and over and over again.
Couldn't a spider just as
> easily pick up a session var?
Now this is where I'm not 100% sure. I have been doing some research and
as far as I can tell it can not. I'm open to be proven wrong.
After all, it has to hit the first page
> to "read" the image and then post, so it could do so in the same
> session.
That is only usefull if a spider can read the session. It would not even
have to worry about the image if it could read the session. It could
however decode your image and try and figure it out from there. But most
of the time, nobody is going to spend that much time. Nothing is 100%
but you make it as difficult as possible.
>
> Another good thing might be to push all of your images down using
> <cfcontent> so that they all appear as "image.gif" and then it will be
> harder to map an image to a correct response.
Either way, the only way it would matter is if the spider could read the
session. If it can it doesn't have to worry about the image.
However, the tax on the
> server of creating dynamic images for every request seems absurd.
You know how many IO operations happen in CFMX during a request? A lot,
it really isn't any more taxing that displaying the image itself. For
most sites, it would not even be noticable. And if it becomes, you just
upgrade the
server.
Author: Whittingham, P
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166960
this is on an intranet, so I don't have worry about a spider....except ours....:)
Pat
Yes, but if that hidden form field is generated automatically and is
truly unique per user, what harm is there? Couldn't a spider just as
easily pick up a session var? After all, it has to hit the first page
to "read" the image and then post, so it could do so in the same
session.
Another good thing might be to push all of your images down using
<cfcontent> so that they all appear as "image.gif" and then it will be
harder to map an image to a correct response. However, the tax on the
server of creating dynamic images for every request seems absurd.
John
Ok this is the second time I have heard someone say to pass the string
in a hidden form field.
DO NOT DO IT. A spider can download the html and read that string and
pass that as the field.
Burns, John D wrote:
----- Excess quoted text cut - see Original Post for more -----
_____
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166959
Yes Flash can be decompiled. So can an image. And there is no captcha
string truly unique that can't eventually be figured out. You just make
it as difficult as possible.
Your idea would work, but an image is better because it is compiled. And
flash you're passing the data in somehow that can be caught.
Doug James wrote:
> A thought just struck me so it is a bit off the top of my head, read may
> not be totally thought through.
>
> If one is to believe MM and that 70%+ of the worlds browser have a flash
> plug-in loaded, could one use flash remoting to create a standard flash
> still image then use CF to put random letters on top of the image? Can
> automated scripts decipher flash movies?
Author: Matt Liotta
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166958
The code needed to produce an image from a string has already been
created.
http://cvs.sourceforge.net/viewcvs.py/*checkout*/openxcf/javacfx/src/
net/sourceforge/openxcf/javacfx/ImageString.java?content-
type=text%2Fplain&rev=1.1
-Matt
On Jun 16, 2004, at 4:23 PM, Bryan F. Hogan wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Burns, John D
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166957
Yes, but if that hidden form field is generated automatically and is
truly unique per user, what harm is there? Couldn't a spider just as
easily pick up a session var? After all, it has to hit the first page
to "read" the image and then post, so it could do so in the same
session.
Another good thing might be to push all of your images down using
<cfcontent> so that they all appear as "image.gif" and then it will be
harder to map an image to a correct response. However, the tax on the
server of creating dynamic images for every request seems absurd.
John
Ok this is the second time I have heard someone say to pass the string
in a hidden form field.
DO NOT DO IT. A spider can download the html and read that string and
pass that as the field.
Burns, John D wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Doug James
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166956
A thought just struck me so it is a bit off the top of my head, read may
not be totally thought through.
If one is to believe MM and that 70%+ of the worlds browser have a flash
plug-in loaded, could one use flash remoting to create a standard flash
still image then use CF to put random letters on top of the image? Can
automated scripts decipher flash movies?
Just a thought.
Doug
Whittingham, P wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166954
Ok this is the second time I have heard someone say to pass the string
in a hidden form field.
DO NOT DO IT. A spider can download the html and read that string and
pass that as the field.
Burns, John D wrote:
----- Excess quoted text cut - see Original Post for more -----
Author: Bryan F. Hogan
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166953
Ok, ok, I've been holding off on this because I wanted to write
something up about it. Here it is.
1. Find an image package that will allow you to create and write text on
top of a image.
2. Create a file like below.
image.cfm
<cfset theImage=Your image manipulation package>
<cflock timeout="2" throwontimeout="yes" name="captchaImage">
<cfset session.captchaString=yourRandomUniqueStringGoesHere>
<cfset captchaString=session.captchaString>
</cflock>
<cfset theImage=write(session.captchaString)>
<cfcontent type="image/gif" reset="true>
<cfoutput>#variables.theImage#</cfoutput>
3. Include the image on your form
<img src="image.cfm">
4. Include a field the user can type into.
5. Action page check form field with session.captchaString.
That's as simple as it gets.
Whittingham, P wrote:
> thanks...didn't know that.
Author: Burns, John D
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166951
It shouldn't be hard. You don't necessarily need to create the images
on the fly. Just create a bunch of them once. Then associate the file
name with the correct answer in the DB. Each time you display a file to
the user, generate another unique id mapping the particular display to
that particular user with a record from the other table that has the
filename and correct answer. Display the image to the person and hide
the unique id (in session or hidden form). Then when submitted, check
that session to find out which image was passed and compare their
response with the correct string. Remove the record from the DB so they
can't submit multiple times with the same info. Just my thoughts, there
may be an easier way.
John
Whittingham, P wrote:
>
> How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA'
> solution. Any ideas would be appreciated.
This has been posted and discussed many times since I've been on the
list.
I have yet to see anyone suggest specifics on how to do it though.
It shouldn't be too hard to use JAI or ImageMagick or something similar
though to generate an image with text using a funky font then overlay
the image with another image to confuse OCR software...
I think you'd store the image text in a database, and pass some kind of
ID in the form as a hidden field, then on submission, look for that ID
in the database and compare the text in the database to what the user
typed in.
Again, it's all theoretical. Maybe someday, someone will write such a
tool and share with all of us how they did it.
- Rick
Author: Whittingham, P
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166949
thanks...didn't know that.
Pat
Whittingham, P wrote:
>
> How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA'
> solution. Any ideas would be appreciated.
This has been posted and discussed many times since I've been on the list.
I have yet to see anyone suggest specifics on how to do it though.
It shouldn't be too hard to use JAI or ImageMagick or something similar
though to generate an image with text using a funky font then overlay
the image with another image to confuse OCR software...
I think you'd store the image text in a database, and pass some kind of
ID in the form as a hidden field, then on submission, look for that ID
in the database and compare the text in the database to what the user
typed in.
Again, it's all theoretical. Maybe someday, someone will write such a
tool and share with all of us how they did it.
- Rick
_____
Author: Rick Root
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166947
Whittingham, P wrote:
>
> How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA'
> solution. Any ideas would be appreciated.
This has been posted and discussed many times since I've been on the list.
I have yet to see anyone suggest specifics on how to do it though.
It shouldn't be too hard to use JAI or ImageMagick or something similar
though to generate an image with text using a funky font then overlay
the image with another image to confuse OCR software...
I think you'd store the image text in a database, and pass some kind of
ID in the form as a hidden field, then on submission, look for that ID
in the database and compare the text in the database to what the user
typed in.
Again, it's all theoretical. Maybe someday, someone will write such a
tool and share with all of us how they did it.
- Rick
Author: Whittingham, P
Short Link: http://www.houseoffusion.com/groups/cf-talk/thread.cfm/threadid:33293#166943
Hi All,
How would one provide a cfmx-only solution (no .Net) for a 'CAPTCHA' solution.
Any ideas would be appreciated.
http://www.devx.com/dotnet/Article/21308
TIA,
Patrick Whittingham
United Space Alliance
_____
|
May 24, 2012
|
Latest Fusion Authority Articles
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||
