Posted by Rob Loach on September 12, 2007 at 11:00pm
2 followers
| Project: | CAPTCHA Pack |
| Version: | 5.x-1.x-dev |
| Component: | User interface |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
An implementation of Gotcha using Captcha and the Captcha Pack.
The general idea is that you place a text field element named "Subject: " at the top of the form and uses CSS to hide it. The captcha validation requires the text field to be blank. Now when spam bots cruise by the site, they'll see "Subject" in the form, stick in some content, and send the form post. The Captcha will then deny its access since it requires nothing to be in the subject field. Normal human users don't see this Subject field, as the CSS hides it.
More discussion is available on this here: http://drupal.org/node/166921
Comments
#1
I contacted nancyw, the author of the gotcha module, some days ago about this, but didn't receive an answer yet.
It's indeed a simple captcha, but I think it is too simple to provide a long term solution. See the "Security Even After Wide-Spread Adoption" guideline at http://captcha.net/ . I'm not sure if it would be a good idea to put in CAPTCHA pack, because that would accelerate its wide spread adoption, which in turn reduces its value :)
#2
I find this a challenge to show how powerful the Captcha module can be, as well as see what some possible limitations the Captcha module has. If Gotcha has been requested by some people, then it's something that we should at least attempt to implement. You're just too lazy to implement it :-P . Here's my attempt at captcha_pack_gotcha.module:
<?php
// $Id: foo_captcha.module,v 1.5 2007/09/08 13:06:18 soxofaan Exp $
/**
* Implementation of hook_help().
*/
function captcha_pack_gotcha_help($section) {
switch ($section) {
case 'admin/user/captcha/captcha_pack_gotcha':
return '<p>'. t('Provides a CAPTCHA Challenge without presenting anything to the user.') .'</p>';
}
}
/**
* Implementation of hook_captcha().
*/
function captcha_pack_gotcha_captcha($op, $captcha_type='', $response='') {
switch ($op) {
case 'list':
return array('Gotcha');
break;
case 'generate':
if ($captcha_type == 'Gotcha') {
$captcha = array();
$captcha['solution'] = ''; // The solution is an empty string (nothing entered)
$captcha['form']['captcha_response'] = array(
'#type' => 'textfield',
'#title' => t('Summary'),
'#weight' => -9999, // Setting captcha weight fails
//'#prefix' => '<div style="display:none;">', // Hide the form
//'#suffix' => '</div>'
);
return $captcha;
}
break;
}
}
?>
Now, if you put that into captcha_pack_gotcha.module, add the captcha_pack_gotcha.info file, enable the module and use it on the comment form, you see that it forces the form's weight to be right above the Submit button when we really want it to be listed right at the top of the form. This shows us that setting the weight for the Captcha challenge fails. I've tried a number of different ways of setting the
#weight, but all fail. This is something that we should possibly address in captcha.module.Other then that, it works. If you uncomment the #prefix and #suffix lines, you'll see that the textfield disappears, leaving a CSS-hidden form that users can't see, but that spam bots can. If it was stuck at the top of the page, it would be a successful implementation of Gotcha.
#3
First: why would you want to reposition the captcha to the top of the page if you are hidding it afterwards?
Second: I think the current design is how it should be: the CAPTCHA type modules just provide their challenge and the base CAPTCHA module does all the general stuff (storing data in $_SESSION, validation, positioning, etc).
Also note that the challenge widgets are embedded in a fieldset (or markup form element if the CAPTCHA description is empty). It's the fieldset (or markup element) that gets positioned, so with the weights you can only control the order of the elements inside the fieldset (or markup element).
Moreover the fieldset should also be hidden, which is tricky (it can't be done with the #prefix/#suffix stuff). With the current CAPTCHA API it is even not possible I think, unless you use some heavy JavaScript magic. To solve this, the API should provide a way to add a prerender callback to the form or something.
#4
So that spam bots would see it as the first field and input data into it. This is the core design of Gotcha.
Yes, but what happens when we want to do things like this? We can't...
Hmmm, that makes it tricky. Since it places the captcha using #pre_render, it seems that there isn't really a way of sticking it at the top of the page.
Maybe send the completed form back to hook_captcha with $op = 'pre_render' or something?
#5
Do you consider this a critical feature of Gotcha? Wouldn't it be enough to put the title "website" or "URL" on the field?
Well, we can. But not within the traditional CAPTCHA API way. Gotcha could for example implement its own form_alter hook. That way we could use the CAPTCHA API for normal administration/setup stuff and overrule captcha_form_alter(). I'm not sure if it's as easy as this descriptions (e.g. you have to be sure that captcha_form_alter is called before gotcha_form_alter)
To quote yourself at http://drupal.org/node/169132#comment-292601 :
Joking aside, I don't think this needs a separate 'pre_render' operation in captcha_hook. An additional (optional) array item $captcha['form']['pre_render'] returned by the 'generate' operation should do it.
Concerning the possible API changes this would need, I started a new issue for CAPTCHA: http://drupal.org/node/175585