CAPTCHA

Thanks, I found links to one on there
http://www.alagad.com/go/products-and-projects/captcha-component/captcha-component

unfortunately it's CF6MX onwards.

I wonder if it possible for us to run this on our CF8 server but integrate it into the site that is running on CF5.. umm..

It's a big noise about dynamic image verification codes. However, consider this: if you have large enough number of pre-generated images ("large enough" may mean 10, for example, dependently on the Web-site), you do not need any dynamic system at all. Just randomly display a verification image from static image pool.

That's what we did in a previous site, we had over 100 characters, but I felt that with being able to generate images using code that we could increase the potential number of available images, otherwise they could potentially figure out all of our codes at some point, depending on how the code revealed it, we use huge encrypted codes appended to the uid of each image, but rhere was always a risk with that

>That's what we did in a previous site, we had over 100 characters, but I felt that with being able to generate images
> using code that we could increase the potential number of available images, otherwise they could potentially
> figure out all of our codes at some point, depending on how the code revealed it, we use huge encrypted codes
> appended to the uid of each image, but rhere was always a risk with that

This is common and totally false opinion that adding "randomness" increases security. Note that whatever you do programmatically will not be random anyway. Common sense "randomness" often is not random at all.

"Huge encrypted codes" - what for? There is a well known approach used, for example, in NTLM or Digest to transmitt authetication without sending credentials. Of course, if you just base64 encode the content of the image, you might be in trouble.

Again, with a good random sequence using proven methods of transmitting authentication credentials, static pool will work as good as real "random" image. Opposite is also true: if I can figure it out how you generate your "random" numbers (just Rand()?), I can find your next number. If I crack your "Huge encrypted codes", I even do not need to look at the image.

Just curious, what kind of Web-site you are protecting???

The system I previously developed was flawed, from what I remember (as it's a couple of years old and no in service now) is that we stored the image in the dbase with a large number
ADFFGFFFDFGDSFFDGDSGF for example, random for up to 200 images

then we dumped it into a hidden field and used the large code to match, it was only a matter of time for a persistent spammer and they would be in (with a lot of patience)

My plan is to do this take a couple of hundred images, put them in a table with the actual text, so if an image says abcd, I put abcd in the table, and then give each one a unique UID which also matches the image name in a secure folder that nobody has access to 1.gif, 2.gif etc

When they visit the site to complete the form write a record in the dbase with their IP, and put a random number from the image table into their record, then when they try to match I'll be able to tell if it's correct or not without revealing anything. Each time they visit I give them a unique temp record in the table so they never know what I stored and I can move the image and rename it with the same name or a random name, doesn't matter.

If they get it wrong 'x' amount of times store their data in a banned table and ban their IP for 48 or more hours.

On the surface I think that will work, I am sure I will come up with a flaw :)

Not sure this will work on CF 5:

http://lyla.maestropublishing.com/Index.cfm

--
Ken Ford
Adobe Community Expert - Dreamweaver
Fordwebs, LLC
http://www.fordwebs.com


"ACS LLC" <webforumsuser@macromedia.com> wrote in message
news:fml73n$kiv$1@forums.macromedia.com...
> Thanks, I found links to one on there
>
> http://www.alagad.com/go/products-and-projects/captcha-component/captcha-compone
> nt
>
> unfortunately it's CF6MX onwards.
>
> I wonder if it possible for us to run this on our CF8 server but integrate
> it
> into the site that is running on CF5.. umm..
>

Thanks

I did find that earlier and have sent them an email to find out if it is CF5.0 compatible