Validating Form Users

[owatagal]

Aside from captcha images, what methods are available to validate that form users are human and not bots/programs trying to flood the form? I'd like to avoid captchas if possible because they aren't handicap accessible.

 

It's not a problem with validating the form data itself, because spammers can easily spoof valid data. How do you verify a user is human and not a machine drone trying to flood the comments without captchas?

 

Javascript is right out--too easy to turn off. If sessions were effective, I'd think people would be using them instead of captchas. But I suppose sessions would be better than nothing, especially if they were tied to a database &extra random numbers.

 

Anyone have any ideas? I'm not necessarily looking for code examples, just thoughts on how to verify a human user without resorting to images. Not that I'd turn down code examples, of course!

[borfast]

Well, I guess this is a matter of imagination... the first thing that came to my mind was asking people to check some other page and enter a certain word from somewhere in that other page into a text field in your form. Of course this isn't as viable as captchas (who invented that name?? ), because page contents may change at any time.

 

There's also the e-mail verification method: you send an e-mail to someone with an unique code, which that person will have to enter in another page to be able to verify his/her account.

[matman]

CAPTCHA is allegedly an acronym for:

"Completely Automated Public Turing Test to Tell Computers and Humans Apart"

 

Ugly, yes indeed, but crafted by the compter geniuses at Carnegie Mellon, not for any esthetic appeal.

 

http://www.captcha.net/

[matman]

To answer the actual question, it would seem that for a one-off web application almost anything would work. Simply requiring any random or semi-random string from the page to be copied into a form field would work unless/until someone wrote a script SPECIFICALLY targetting your page/application that would automatically read and parse the form to craft a specific reply. For that matter, you could automate the process in a hidden form field and that would deter 98% of the vandalism that goes on (since most form spamming/vandalism doesn't even look at unique form instances, just hammers the "action" page with POSTs.)

 

If you want a harder (i.e. more secure) solution, consider implementing IP checking and log the IPs that POSTs come from. Limit a given IP address to 1-3 POSTs every 1-3 minutes. Again, a determined vandal could use a DDOS or IP spoofing to defeat this security measure, but that level of determination is rare.

[matman]

There's a REALLY good white paper on this topic by the W3C:

http://www.w3.org/TR/turingtest/

 

It doesn't give explicit methods or anything, but discusses the pros and cons of various currently-used and potentially-useable methods.

 

The coolest idea to me is the simple logic/knowledge test:

 

Which of these is not a color:

A. green

B. squirrel

C. orange

D. red

 

 

Would be laborious to implement and create, but accessible. And do you really want comments in your blog from someone whose living room is painted "squirrel"?

[borfast]

I love that logic test idea, matman!

 

Oh, and thanks for the link, too.

[owatagal]

Email verification could work. I can just whitelist certain IP addresses that I know comment often so they don't have to go through it.

 

I thought about the random string thing, but anything I can write a program to get around I don't want to do--if I can hack it, it's a bad thing, you know?

 

I'll definitely check out the link--looks great! The logic test is a good idea. I saw something similar on another site--an extra form field asking "What is Diana's first name?".

 

I doubt any comment spammers would ever actually *want* to target my site anyway--no trackbacks, and all comment URLs include the rel="nofollow" tag, and it's homegrown code so they have to work extra hard to find it (can't search for known files). They'd be doing a lot of work and wasting their time--boy, do I love the thought of them *really* wasting their time by trying to find a way around extra security measures. And if no one bothers, I still know more about security then I did before. Everyone wins (ok, I win).

 

I'll go see what the W3C has to say.