Ajax CAPTCHA validation

问题

Is it reasonable (or secure) to validate CAPTCHA via ajax? I want place a sign up form without any page reload. Is it secure? (I am using Validation[1] and Form plugins)

[1] http://bassistance.de/jquery-plugins/jquery-plugin-validation/

回答1:

You cannot rely on JavaScript to secure anything. You can use it as a first-pass, but you still need to do the captcha validation on the server (as it appears you are planning to do). For example, see: http://www.howtocreate.co.uk/tutorials/javascript/security

My concern with a full AJAX solution (no page reloads) is that it will likely be possible for a user to bypass the return value from the POST-back and continue going even if the captcha is invalid. But you can keep track of any captcha failure in a server session and double-check the result at the end of your sign up form, since eventually everything will be done server-side. If the captcha was never valid, then you would have to deny the signup regardless of any other data that you have received from that client.

回答2:

A reasonable way to implement this is as follows:

1) When the form page is requested, generate a session-specific server-side key.

2) When the user presses "Submit", use an AJAX call to send the user-entered captcha text to the server.

3) Server checks the user-submitted value. If it is equal to the text in the captcha, return the sever-side key generated in step 1.

4) Browser now has the server-side key. Upon form submit, check that the server-side key specified by the browser matches the server-side key generated in step 1. If so, the user must have passed the captcha, so process the request.

回答3:

Yes it can be done using php and ajax, but you need to clear cache every time a captcha is loading that reload button. Here is a perfect example for you .. http://www.thetutlage.com/demo/captcha/

EDIT | I also found the article link http://www.thetutlage.com/post=TUT120