看起来我们将为Stack Overflow添加CAPTCHA支持。这对于防止机器人、垃圾邮件发送者和其他恶意脚本活动是必要的。我们只希望人类在这里发布或编辑东西!
我们将使用JavaScript (jQuery)验证码作为第一道防线:
http://docs.jquery.com/Tutorials:Safer_Contact_Forms_Without_CAPTCHAs
这种方法的优点是,对于大多数人来说,CAPTCHA永远不会可见!
然而,对于禁用JavaScript的人,我们仍然需要一个备用方案,这就是棘手的地方。
我为ASP编写了一个传统的CAPTCHA控件。NET,我们可以重复使用。
但是,我更倾向于使用一些文本化的东西,以避免为每个请求在服务器上创建所有这些图像的开销。
我见过这样的事情…
ASCII文本验证码:\/\/(_)\/\/ 数学难题:7减3乘以2等于多少? 小问题:癞蛤蟆和冰棍,哪个更好吃?
也许我只是在风车这里倾斜,但我希望有一个更少的资源密集型,非图像为基础的<noscript>兼容的验证码,如果可能的话。
想法吗?
当前回答
Make an AJAX query for a cryptographic nonce to the server. The server sends back a JSON response containing the nonce, and also sets a cookie containing the nonce value. Calculate the SHA1 hash of the nonce in JavaScript, copy the value into a hidden field. When the user POSTs the form, they now send the cookie back with the nonce value. Calculate the SHA1 hash of the nonce from the cookie, compare to the value in the hidden field, and verify that you generated that nonce in the last 15 minutes (memcached is good for this). If all those checks pass, post the comment.
This technique requires that the spammer sits down and figures out what's going on, and once they do, they still have to fire off multiple requests and maintain cookie state to get a comment through. Plus they only ever see the Set-Cookie header if they parse and execute the JavaScript in the first place and make the AJAX request. This is far, far more work than most spammers are willing to go through, especially since the work only applies to a single site. The biggest downside is that anyone with JavaScript off or cookies disabled gets marked as potential spam. Which means that moderation queues are still a good idea.
从理论上讲,这可以作为通过模糊性的安全,但在实践中,这是很好的。
我从未见过垃圾邮件发送者试图破解这种技术,尽管可能每隔几个月我就会收到一个手动输入的主题垃圾邮件条目,这有点怪异。
其他回答
我的建议是ASCII验证码,它不使用图像,它是程序员/极客。 这是一个PHP实现http://thephppro.com/products/captcha/这是一个付费的。 有一个免费的,也是PHP实现,但我找不到一个例子-> http://www.phpclasses.org/browse/package/4544.html
我知道这些都是在PHP中,但我相信你们这些聪明的家伙构建SO可以“移植”到你最喜欢的语言。
我推荐一些琐事问题。不是每个人都能理解字母的ASCII表示,有多个运算的数学问题会让人困惑。
Make an AJAX query for a cryptographic nonce to the server. The server sends back a JSON response containing the nonce, and also sets a cookie containing the nonce value. Calculate the SHA1 hash of the nonce in JavaScript, copy the value into a hidden field. When the user POSTs the form, they now send the cookie back with the nonce value. Calculate the SHA1 hash of the nonce from the cookie, compare to the value in the hidden field, and verify that you generated that nonce in the last 15 minutes (memcached is good for this). If all those checks pass, post the comment.
This technique requires that the spammer sits down and figures out what's going on, and once they do, they still have to fire off multiple requests and maintain cookie state to get a comment through. Plus they only ever see the Set-Cookie header if they parse and execute the JavaScript in the first place and make the AJAX request. This is far, far more work than most spammers are willing to go through, especially since the work only applies to a single site. The biggest downside is that anyone with JavaScript off or cookies disabled gets marked as potential spam. Which means that moderation queues are still a good idea.
从理论上讲,这可以作为通过模糊性的安全,但在实践中,这是很好的。
我从未见过垃圾邮件发送者试图破解这种技术,尽管可能每隔几个月我就会收到一个手动输入的主题垃圾邮件条目,这有点怪异。
映像可以在客户端从服务器传递的基于矢量的信息中创建。
这将减少服务器上的处理和传输的数据量。
我认为文本验证码方法的问题在于文本可以被解析并因此得到回答。
如果你的网站很受欢迎(如Stackoverflow),人们喜欢代码挂在它(如Stackoverflow),很有可能有人会把“打破验证码”作为一个挑战,很容易赢得一些简单的javascript + greasemonkey。
因此,例如,在线程的某个地方建议隐藏彩色字母的方法(确实是一个很酷的想法,想法),可以通过以下示例行简单解析轻松打破:
<div id = "captcha">
<span class = "red">s</span>
asdasda
<span class = "red">t</span>
asdff
<span class = "red">a</span>
jeffwerf
<span class = "red">c</span>
sdkk
<span class = "red">k</span>
</div>
同样,解析这个也很简单:
3 + 4 = ?
如果它遵循模式(x + y)或类似的。
类似地,如果你有一组问题(橙色是什么颜色?比如,白雪公主周围有多少个小矮人?),除非你有成千上万个小矮人,否则你可以从其中挑选30个,生成一个问答散列,然后让脚本机器人重新加载页面,直到找到这30个小矮人中的一个。
