viebrock.ca
Turing Protection
12 April 2004 •
code | PHP •
PermaLink
Here are some pieces of code to prevent access to parts of your site unless the user can pass a simple Turing test (also known as a CAPTCHA.
The code is pretty straightforward. You need two files: the image generating script and the protection script.
Then, for each page you want to protect, just add this code to the top of the file:
< php
session_start();
if (!$_SESSION['turing_pass']) {
$_SESSION['turing_redirect'] = $_SERVER['<span class="caps">PHP</span>_SELF'];
Header('Location: /turing.php');
exit;
}
unset($_SESSION['turing_pass']);
>
To see it in action, try clicking here.
Please … any comments on the code are greatly appreciated!
Comments
Copyright © 2000-2010 Colin Viebrock • All Rights Reserved
Thought about making this into a plugin for Textpattern?
13 April 2004, 08:20 • PermaLink
1) Encapsulate globals. Always. E.g. provide a function that returns values from $_SESSION or $_REQUEST, rather than access them directly. It adds an extra layer of security and also “future-proofs” all of your code that accesses these variables.
2) Instead of including it at the top of each file, use the auto_prepend_file directive in your .htaccess file in apache and make this code part of that include.
These are more architectural design ideas than they are logic issues, but still are nice things that make your code a little more robust and reusable, not mention make your application a bit more immune to future changes in language spec.
13 April 2004, 08:57 • PermaLink
Wih your code I see no way to add an alt attribute to the imagetag, meaning your site will exclude those users.
http://www.pcmag.com/print_article/0,3048,a=49598,00.asp
All in all the technique is nice but does it’s work at a cost. And if you’re in a business where you can’t afford to lose customers (or aren’t allowed to by law) you’re better of not using this technique.
13 April 2004, 10:38 • PermaLink
Making it a Textpattern plug-in would be sweet, but I’m not sure how it would work. A plugin for the random image would be pretty straight-forward, but you need to modify the PHP code for the protected page to actually use it.
Ryan:
Thanks for the suggestions. Like I said, this was a quick hack. When I get some time to spend on it, I’ll probably encapsulate it in a class, which should make it more portable.
Harold:
Very valid point. I did a bit of Googling to see if there are any CAPTCHA solutions for the visually impaired, and came up with nothing.
Obviously, I can’t put an ALT tag on the image with the “right answer”, since that would defeat the purpose of the CAPTCHA.
I suppose a solution would need to be text-based. Maybe a scrambled phrase that needs to be unscrabled (“Hwo mny eggz r 1n a d0zn?”), or a word problem (“If a train leaves New York at 2am, and another leaves Chicago at 3am, ...”). The problem with the first technique is that, unless you have a very large number of phrases to scramble, someone could brute-force their way through. The problem with the second is that, although it allows access for the visually-impaired, it blocks access for the stupid (which may not be so bad after all).
Has anyone discovered any solutions to this?
15 April 2004, 06:45 • PermaLink
I know that Yahoo! provides human contact info so disabled people can get assistance from a live human who will setup their account for them. Which illustrates that the technique is just fundamentally flawed. Fine for some uses but if you’re going to deploy this large scale you’re going to run into huge problems.
I would urge everyone to be aware of these issues before deploying CAPTCHA.
Here’s some more links about the problems:
http://www.bestkungfu.com/archive/?id=445
http://www.maccessibility.com/archive/000535.php
18 April 2004, 06:53 • PermaLink
18 April 2004, 19:52 • PermaLink
15 May 2004, 09:24 • PermaLink
Technical issues: recording the individual letters, then merging them together … although that shouldn’t be too hard.
Making it hard to “crack”: with the images, I can change the colour, size, placement, rotation, etc. of each letter, so each “a” doesn’t look exactly the same. With audio, unless I record several versions of each letter, all the “a”s will sound the same. It wiould then be easy to identify each sound, and crack the code (“easy” is relative here, of course).
Worth a try though. I’ll check out livejournal.com, too.
15 May 2004, 14:35 • PermaLink
I think it would be hard to crack (at present) – every site could record their own audio alphabet. Just a thought, but wouldn’t you have to record longer strings anyway, like “Uppercase A”, “lowercase p” etc? Otherwise it becomes a lot less random
16 May 2004, 04:30 • PermaLink
a small chunk of php, and a list of spelt letters (possibly several per letter/number, then selected at random for each letter) would suffice!
Its not foolproof and i suspect that if someone really wanted to crack it they could, but its certainly a quick and easy solution that would work for smaller scale sites.
20 May 2004, 08:55 • PermaLink
alt=”capital eff lowercase pea number seven lowercase zed capital kyoo”
20 May 2004, 08:57 • PermaLink
3 June 2004, 06:52 • PermaLink
The source code can be downloaded from here
To generate the image:
$tur = new Turing();$tur->generateKey();$_SESSION['turing_key']=$tur->getKey();$tur->displayImage();Then in another script you check the key form session with GET/POST variable from user.
5 October 2004, 13:33 • PermaLink
Tried the above method, but I get a parse error on a comment page.
5 December 2004, 19:07 • PermaLink
16 February 2005, 05:05 • PermaLink
I’m interested in hiring you to add your turing script to my site or explain to me where to add the script so that I may do it myself. I really need this kind of security on my site. Email me and I will give you details.
Thanks.
17 November 2005, 23:20 • PermaLink