• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Implementing captcha in a Web Application

 
Ranch Hand
Posts: 187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have a Web Application (Vaadin for the client, resteasy with jetty in the backend) which has a register button. I would like to make sure only humans can register.
When the user connects to my server for registration (e.g. myhost.com/register), i need to somehow create an image and a challenge. I am wondering how such a flow could look like.

1) user connects to myhost.com/register -> i need to create an image and the challenge and store it somewhere with some kind of identifier to identify this user
2) the user enters some text and the captcha challenge and hits enter -> i verify (where?) the captcha and the challenge (based on some ID - but what id could i use)
3) when the user enters a wrong captcha, it should be re-generated -> same problem as on 1 and 2 - where to store captcha/challenge and identifier for that?

I dont like using something like reCAPTCHA as it collects a lot of information about users which visit my page. I dont like that.
Maybe someone can give me a hint
 
Saloon Keeper
Posts: 15484
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Honestly, if you don't want to use reCaptcha or something like that, Google for alternative libraries that can do this for you. Implementing something like this lies firmly in the land of artificial intelligence, and is probably not worth your time to reinvent.
 
olze oli
Ranch Hand
Posts: 187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can you recommend any service which does not heavily spy on the users?
 
Saloon Keeper
Posts: 7582
176
  • Likes 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
jcaptcha is one library I've seen in action, in the JForum2 web app. It's open source, so you can check out the code for an example of how to implement it.
 
olze oli
Ranch Hand
Posts: 187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks, i will take a look at that in the weekend. I guess they also implemented some kind of security (e.g. to not get a filled db with captcha challenges etc.) ? This would be very interesting
 
olze oli
Ranch Hand
Posts: 187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Unfortunately the jforum did not use a separate ui, so i created it now for myself.
What i did:
I created a REST resource /requestCaptcha which returns an entity (jpg) from the server. This is stored with a browser identifier (i simply used vaadins getBrowser().hashCode() as fingerprint) and the IP of the requester. I use the cage captcha library.
When 5 captchas got requested from the same ip in a too short period of time, i throw an exception TooManyCaptchaRequests and the UI waits for 1 second. The backend will then produce every second a captcha, if its requested faster, i throw that exception.
It works and i *think* this should be fine. Hope i did not forgot something
 
Greenhorn
Posts: 26
Eclipse IDE Oracle Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How about to use grecaptcha from google, its all javascript-based...
 
olze oli
Ranch Hand
Posts: 187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How should it work when i use a library like grecaptcha ? Please explain the data flow to me to have UI and business logic separated (the UI and the business logic run on separated machines in the data center).
Also, what do you mean with "grecaptcha" ? Do you mean "reCAPTCHA" ? If so, please read my first post.
 
Fernando Almeida
Greenhorn
Posts: 26
Eclipse IDE Oracle Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

olze oli wrote:How should it work when i use a library like grecaptcha ? Please explain the data flow to me to have UI and business logic separated (the UI and the business logic run on separated machines in the data center).
Also, what do you mean with "grecaptcha" ? Do you mean "reCAPTCHA" ? If so, please read my first post.



Yeah, "grecaptcha" mean reCaptcha from google, but the information to google is less than first versions of this captcha mechanism..
See here, they made an huge progress since they created this thing: http://avatarnewyork.com/blog/3-ways-google-recaptcha-separates-real-people-robots

Bur i understand you if you don't want to send any information to google haha.... Today they send mainly user-agent information...
 
olze oli
Ranch Hand
Posts: 187
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
they dont send user agents, they send browser fingerprints. If you are familiar with web technologies, you should know that most people will get uniquely identified by this information. Thats the reason i dont want to penetrate my users with the google stuff as it should be a users choice if he wants to share data with google or not. Its a real PITA, just the same with that google play store. But thats a different story.
 
Fernando Almeida
Greenhorn
Posts: 26
Eclipse IDE Oracle Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

olze oli wrote:they dont send user agents, they send browser fingerprints. If you are familiar with web technologies, you should know that most people will get uniquely identified by this information. Thats the reason i dont want to penetrate my users with the google stuff as it should be a users choice if he wants to share data with google or not. Its a real PITA, just the same with that google play store. But thats a different story.



I understand, from this point of view, you're right. Maybe use another third party vendor? not good too..
 
olze oli
Ranch Hand
Posts: 187
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I created a REST Service which creates a captcha and stores that in the DB with the browser fingerprint. I am free now to use any captcha library i'd like to
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic