Home/ Questions/Q 7979431
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T09:46:40+00:00

I’m looking at using an alternative to Captcha (or Recaptcha) for the registration form

  • 0

I’m looking at using an alternative to Captcha (or Recaptcha) for the registration form on website I’m working on.

I believe Captcha’s negatively affect UX. I was looking into using hidden fields but apparently they’re not effective at all (Reference: http://radio.javaranch.com/davo/2008/10/15/1224063498569.html)

A comment on that article states:

As someone that writes CAPTCHA crackers as part of my job (no, not for
spamming), I can assure you that a hidden field would in no way trip
me up. As another poster mentioned, I check the over the wire traffic,
and don’t pay much attention to what happens to be in the HTML of the
form.

This led me to believe that spambots make direct POST requests to the server, rather than request the form and fill it out.

If that is the case, what if I create a hidden, read-only field that I pre-populate with a hash stored in SESSION. When the user submits the form, I can compare the values. Would this work as a way to keep away spambots, or am I overseeing something?

If the form is never requested, I, of course, would not find any hash stored in session and could thus ignore the request.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Adding another field with a challenge tied to a server-side session variable is a good approach; it would require considerably more effort on the side of spam bots, i.e. they have to load and parse the form, fill it out and make another request (sending along the necessary cookies).

    You could also consider adding JavaScript to modify the given challenge and modify it in a certain way. The attacker would then need to find out what your code does before they can replicate it in an automated fashion. Transformations could be a simple rot13 or more complicated xor operations. Things like md5, sha1 are established algorithms so those are a poor choice; it has to be custom.

    Of course, if an attacker is bound on targeting your site, there’s not much you can do to prevent spam from coming in; that’s the ugly truth. For instance, they could run Selenium and circumvent all the JavaScript protection you have carefully built in.

    • 0