In another thread, I just learned some new techniques to avoid using CAPTCHA, but still discourage Spam Bots from submitting bogus Forms.
Now I would like to know, which Forms on my website need such protection?
Obviously something like a Registration Form would need that extra level of protection, but what about these other scenarios where I technically am using Forms…
Login Form
Rate This Article Form (Members-only)
Accept/Reject Friend-Request Form (Members-only)
Submit a PM (Members-only)
I use Forms all over the place, but off the top of my head, you have to be logged in as a Registered Member to use any of them.
The only place where anyone can submit a Form would be either my Registration Form or my Log-in Form.
Obviously I don’t want to have to add code - and add complexity - to places where it is not truly needed.
[ot]You know, Mittineague, this is why I can never get my website done…
Because just when I am about to wrap things up, someone comes along and mentions something else I am missing, and there goes another couple of weeks!!
[/ot]
What do you think about the Forms mentioned in my OP?
A password field it the best CAPTCHA to use for login forms. Since the spambots don’t have an account (assuming that you use a decent CAPTCHA on your registration form and not one of those stupid almost obsolete image CAPTCHAs) they will not know of a password that is valid for any account to enter in to gain access.
Members only forms don’t need a CAPTCHA because spambots will never be members.
So of the forms you list the only ones that need a CAPTCHA are the registration and login forms and all login forms already have the best possible CAPTCHA (provided that you have appropriate processing in place to prevent spambots from trying to guess passwords - a ten second lock after a wrong password or attempt to enter a password while locked would mean that if the spambot doesn’t guess right on the first try and doesn’t have at least a ten second delay built in between guesses that it will never get in, and if it does have the delay built in it will average many years between successful guesses).
For the registration form the ideal would be a CAPTCHA that is not visible - such as testing the time from when the form is first displayed to when it is submitted. To allow for real people managing to fill out the form too quickly by using a tool to fill out the form you could redisplay the form with a different CAPTCHA (such as a simple math calculation CAPTCHA) if the form fails the invisible CAPTCHA.
Any other forms available for anyone to fill out will probably need some form of CAPTCHA.
With forms you need to monitor the amnount of spam that gets through and when it becomes significant then you replace the current CAPTCHA with a more effective one.
As felgall said, the members-only forms should be safe enough against outside abuse from bots.
Of course they should still be sanitized and validated to prevent abuse from humans.
He said “No” (you don’t need a [additional] CAPTCHA) under the condition that
provided that you have appropriate processing in place to prevent spambots from trying to guess passwords - a ten second lock after a wrong password or attempt to enter a password while locked would mean that if the spambot doesn’t guess right on the first try and doesn’t have at least a ten second delay built in between guesses that it will never get in, and if it does have the delay built in it will average many years between successful guesses
