Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.I'm using captcha 7.x-1.0-beta2+16-dev and Drupal 7.22.
I have seen some log entries lately and in the past of spam bots requesting the same captcha image multiple times in order to get the easiest to answer version of the captcha. For example if I call:
http://mysite.com/image_captcha?sid=5&ts=1365221990 multiple times, I will get an image with the same solution but generated multiple times.
It might be better to just return a "304 Not Modified" header in this case to tell client browsers to use what is already in there cache, or to force a new solution to be generated?
Is there some other way may be to prevent spammers from cherry picking image captchas?
Thank you very much!
| Comment | File | Size | Author |
|---|---|---|---|
| #2 | 1962962_randomseeding.patch | 1.66 KB | soxofaan |
Comments
Comment #1
soxofaan CreditAttribution: soxofaan commentedThe "get another distortion on reload" behavior was intended as a feature, but as you point out, it mainly lowers the bar for automated CAPTCHA solving and is probably not that useful for legitimate human users.
Detecting re-requesting the same image is a bit tricky.
First, for the "304 Not Modified" trick, you need the conditional request (containing date information of the previous request). Spam bot can easily circumvent this by not providing a date of previous request.
Also, only allowing one request for the image to work and failing on subsequent request is also tricky. IIRC, it was implemented in earlier versions like this, but it gave issues in some situations/environments, I remember something about certain browsers requesting the image twice for some reason.
Anyway, a possible alternative approach is always using the same distortion for the same challenge.
Comment #2
soxofaan CreditAttribution: soxofaan commentedhere is a patch
Comment #3
podarok#2 commited
Thanks!