[Solar-talk] Image Captchas and RTE's

[Rodrigo Moraes]

On 8/3/06, Clay Loveless wrote:
> I think the way I would approach this would be something like a
> public key/private key system.
> [...]

Seems good and simple enough! I think I'll follow these lines. Thanks. :-)

> [...]
> As an add-on, if you wanted to make sure that your captchas expired
> after a certain period of time, do the cleanup process a couple of
> times throughout, and make sure that the $inputhash not only matches
> md5($input.$config['Solar_Captcha_Private']), but also has a file
> that hasn't been cleaned out. That eliminates the issue of someone
> using stale captchas in some sort of brute force attack

That's another purpose of the db - it has a timestamp so the captcha
expires after a while. No row found, no validation. But I think
checking if the image exists (and deleting it if it is older than some
time) would be a nice no-db workaround. I'll check some php-security
readings to see if something else can be added to your nice ideas.

By the way, if you have time take a look at the persistent login
adapter uses I've released some time a go. It checks and renews a
cookie token on each page request; I think there isn't much to be done
about this and I've tried to follow guidelines from some PHP-Security
masters.

cheers,
rodrigo