56820

Ajax CAPTCHA validation

Is it reasonable (or secure) to validate CAPTCHA via ajax? I want place a sign up form without any page reload. Is it secure? (I am using Validation[1] and Form plugins)

[1] http://bassistance.de/jquery-plugins/jquery-plugin-validation/

Answer1:

You cannot rely on JavaScript to secure anything. You can use it as a first-pass, but you still need to do the captcha validation on the server (as it appears you are planning to do). For example, see: http://www.howtocreate.co.uk/tutorials/javascript/security

My concern with a full AJAX solution (no page reloads) is that it will likely be possible for a user to bypass the return value from the POST-back and continue going even if the captcha is invalid. But you can keep track of any captcha failure in a server session and double-check the result at the end of your sign up form, since eventually everything will be done server-side. If the captcha was never valid, then you would have to deny the signup regardless of any other data that you have received from that client.

Answer2:

A reasonable way to implement this is as follows:

1) When the form page is requested, generate a session-specific server-side key.

2) When the user presses "Submit", use an AJAX call to send the user-entered captcha text to the server.

3) Server checks the user-submitted value. If it is equal to the text in the captcha, return the sever-side key generated in step 1.

4) Browser now has the server-side key. Upon form submit, check that the server-side key specified by the browser matches the server-side key generated in step 1. If so, the user must have passed the captcha, so process the request.

Answer3:

Yes it can be done using php and ajax, but you need to clear cache every time a captcha is loading that reload button. Here is a perfect example for you .. http://www.thetutlage.com/demo/captcha/

EDIT | I also found the article link http://www.thetutlage.com/post=TUT120

Answer4:

Even if you use AJAX, its still server-side, since you make a call to the server to validate it.

Recommend

  • What's the best way to do a fixed topbar that doesn't overlap the top?
  • Meteor: Modify collection on a route change using Iron Router
  • Which RPC Library is best and Official for Openerp?
  • SWIG: Ruby overloading problems
  • Collect & Randomize the data in Swift
  • Should I create my folder for file uploads under wwwroot inside visual studio?
  • Unique responses rails gem
  • FCM (Firebase Cloud Messaging) in Windows Mobile App (Cordova)?
  • Does Reporting Services embedded in WinForm need SQL Server?
  • Ajax CAPTCHA validation
  • Convert to currency or money format in DB2
  • Android SyncAdapter: how to get notified of specific sync happened
  • How can I configure logtash to use “stdout” as input?
  • Implementing module pattern in Javascript with dependency on jquery
  • Issues replacing Log4j with LogBack, log4j-over-slf4j.jar shortcomings
  • Does using Foreign Key speed up table joins
  • Sending and Receiving SMS [closed]
  • Can I commit a file with git, but automatically ignore it when doing a git svn dcommit?
  • Cache-Control headers, max-age defined but back button always deliver web cache data
  • How to pause a python script running in terminal
  • Help with one step build all projects + installer (.NET + WiX)
  • jQuery Mobile - Dialogs without changing hash
  • How to call a procedure using NHibernate that returns result from multiple tables?
  • Is looping through all style sheets and classes a good idea in JavaScript?
  • Google OAuth: can't get refresh token with authorization code
  • Bigquery event streaming and table creation
  • IE11 throwing “SCRIPT1014: invalid character” where all other browsers work
  • Adjust width of select element according to selected option's width
  • print() is showing quotation marks in results
  • Make VS2015 use angular-cli ng at build time in a .NET project
  • Django rest serializer Breaks when data exists
  • Android fill_parent issue
  • How to do unit test for HttpContext.Current.Server.MapPath
  • Get object from AWS S3 as a stream
  • Excel - Autoshape get it's name from cell (value)
  • Check if a string to interpolate provides expected placeholders
  • Do I've to free mysql result after storing it?
  • RestKit - RKRequestDelegate does not exist
  • Traverse Array and Display in markup
  • Turn off referential integrity in Derby? is it possible?