All geek questions in one place

The logic for checking caching?

I need to write a captcha service for the integration software I'm working on. After some thought, I think that I don’t quite understand how captcha works technologically (I understand how it works functionally), and therefore he was unable to make some design decisions. A few things bother me:

  • Should I keep a session for each user? (i.e. remember their IP, domain, etc.)
  • Should I recover a passphrase on error? (I know sites like google and digg do this)
  • Each call will go to the database. I'm not sure if this will affect server performance, but I will consider using things like memcahed. But I can't think about not hitting db or cache, because you need to read first, then check, then update.
  • Do I need an expiration time for captcha? say 15 minutes?

If 1 is yes, then I think the logic is getting complicated because I need to do things like: has this passphrase been verified before? does it expire? is it from the same ip? etc.

And if I need to reprogram the IP address and confirm it, after too many invalid requests, what should I do? I blocked them?

So, I think captcha should work this way, in a simple way:

A type of statelessness, which means that every failure received will only survive 2 requests, an initial request and a subsequence request. And the result will be either unsuccessful or passed. If this fails, create a new one.

I come up with someone who can make some suggestions or explain how proper captcha works. Thanks.

Update:

I need to explain a little functional requirement:

Conditions:

  • The client is someone else at www
  • my service includes: a captcha service and another service that a client can access through an HTTP request.

Workflow:

  • the client makes a request to send the service
  • captcha-service generates token, passphrase and saves in db
  • a client makes an http request to intercept a webpage to receive an image
  • the client sends a request for our other service and passes passphrase
  • our other service will use the passphrase to check our captcha service, etc ...

Also I think if 3 is necessary. Or I just have to rent the image stream in step 2.

+4
source share
3 answers

1: Should I store a session for each user? (i.e. remember their IP, domain, etc.)

Depends on the server side web programming language you are using. Most of them simply offer built-in methods for managing the session, for example in PHP using session_start() and $_SESSION access, and for example JSP / Servlet you can get it HttpServletRequest#getSession() . Since you did not indicate which one you are using, I cannot give a more specific / detailed answer. All I can offer is just to familiarize yourself with the documents / documents / books of the programming language in question.

You do not need to remember IP. Just setting the key / token in the session is enough - in turn, as a rule, a cookie is already supported, so theoretically you can just use a cookie for this if you intend to do all this (note: DO NOT put the answer in the cookie, but just some unique key to identify the client!).

2: Should I recover the passphrase on error? (I know sites like google and digg do this)

Of course you need to. Otherwise, bots can make brute force on captcha.

However, is there a reason why you are not using an existing conversion API that you could just plug in, such as reCAPTCHA ?

+1
source

Captchas are difficult. There are many studies on their development, as well as on their fracture. It is much better and more useful to use a tool such as reCAPTCHA: http://recaptcha.net/whyrecaptcha.html , which provides fairly good protection, simplifies integration, and forces time spent typing on something useful.

0
source

I have to start with why use captcha? Since the obvious answer is to prevent spam bots, I think saving sessions per user is a bad idea. This can lead to the blocking of legitimate users by mistake. Plus, this will not prevent the smart bot from continuing to attempt to break your captcha.

In addition, if you do not regenerate captchas, a good bot will eventually break it

So, IMHO, you better never block users (perhaps block registered users, but if they are anonymous, then no) and reset the password for each request.

0
source

Source: https://habr.com/ru/post/1300570/

More articles:


All Articles