Ajax CAPTCHA validation

Is it reasonable (or secure) to validate CAPTCHA via ajax? I want place a sign up form without any page reload. Is it secure? (I am using Validation[1] and Form plugins)

[1] http://bassistance.de/jquery-plugins/jquery-plugin-validation/


You cannot rely on JavaScript to secure anything. You can use it as a first-pass, but you still need to do the captcha validation on the server (as it appears you are planning to do). For example, see: http://www.howtocreate.co.uk/tutorials/javascript/security

My concern with a full AJAX solution (no page reloads) is that it will likely be possible for a user to bypass the return value from the POST-back and continue going even if the captcha is invalid. But you can keep track of any captcha failure in a server session and double-check the result at the end of your sign up form, since eventually everything will be done server-side. If the captcha was never valid, then you would have to deny the signup regardless of any other data that you have received from that client.


A reasonable way to implement this is as follows:

1) When the form page is requested, generate a session-specific server-side key.

2) When the user presses "Submit", use an AJAX call to send the user-entered captcha text to the server.

3) Server checks the user-submitted value. If it is equal to the text in the captcha, return the sever-side key generated in step 1.

4) Browser now has the server-side key. Upon form submit, check that the server-side key specified by the browser matches the server-side key generated in step 1. If so, the user must have passed the captcha, so process the request.


Yes it can be done using php and ajax, but you need to clear cache every time a captcha is loading that reload button. Here is a perfect example for you .. http://www.thetutlage.com/demo/captcha/

EDIT | I also found the article link http://www.thetutlage.com/post=TUT120


Even if you use AJAX, its still server-side, since you make a call to the server to validate it.


  • What's the best way to do a fixed topbar that doesn't overlap the top?
  • Meteor: Modify collection on a route change using Iron Router
  • Which RPC Library is best and Official for Openerp?
  • SWIG: Ruby overloading problems
  • Collect & Randomize the data in Swift
  • Should I create my folder for file uploads under wwwroot inside visual studio?
  • Unique responses rails gem
  • FCM (Firebase Cloud Messaging) in Windows Mobile App (Cordova)?
  • Does Reporting Services embedded in WinForm need SQL Server?
  • Ajax CAPTCHA validation
  • Convert to currency or money format in DB2
  • Android SyncAdapter: how to get notified of specific sync happened
  • How can I configure logtash to use “stdout” as input?
  • Implementing module pattern in Javascript with dependency on jquery
  • Issues replacing Log4j with LogBack, log4j-over-slf4j.jar shortcomings
  • Does using Foreign Key speed up table joins
  • Sending and Receiving SMS [closed]
  • Can I commit a file with git, but automatically ignore it when doing a git svn dcommit?
  • Cache-Control headers, max-age defined but back button always deliver web cache data
  • How to pause a python script running in terminal
  • Help with one step build all projects + installer (.NET + WiX)
  • jQuery Mobile - Dialogs without changing hash
  • How to call a procedure using NHibernate that returns result from multiple tables?
  • Is looping through all style sheets and classes a good idea in JavaScript?
  • Google OAuth: can't get refresh token with authorization code
  • Bigquery event streaming and table creation
  • IE11 throwing “SCRIPT1014: invalid character” where all other browsers work
  • Adjust width of select element according to selected option's width
  • print() is showing quotation marks in results
  • Make VS2015 use angular-cli ng at build time in a .NET project
  • Django rest serializer Breaks when data exists
  • Android fill_parent issue
  • How to do unit test for HttpContext.Current.Server.MapPath
  • Get object from AWS S3 as a stream
  • Excel - Autoshape get it's name from cell (value)
  • Check if a string to interpolate provides expected placeholders
  • Do I've to free mysql result after storing it?
  • RestKit - RKRequestDelegate does not exist
  • Traverse Array and Display in markup
  • Turn off referential integrity in Derby? is it possible?