An Alternative to Image based CAPTCHA

I’ve never liked image based CAPTCHA systems, although I see the value of a CAPTCHA test for publicly derived content.

I have an alternative solution.

For some time I have been delivering a nonce (a Number used ONCE) to a hidden field of a form by an AJAX interaction.  this has a number of benefits:

• using nonce’s is my standard way of avoiding back-button/refresh form resubmission (yes: i’ve nicked the word for wordpress, but my use of nonces predates wordpress – promise!);
• most robot scripts do not have javascript clients. they tend to be coded cURL implementations: so js delivery of the nonce is great here;
• for those robots that automate a browser, i delay delivery of the nonce by a few seconds (3-5 depending on the number of fields).  i also tend to delay enabling the submit button but not always.  this means that a robot that screen scrapes rapidly will get caught out but a user should not notice any real disbenefit. instead of a delay you could instead trigger the nonce on the activation of a particular text field (but beware the browser auto-complete here).

i’ll post a code class to do all this stuff for you in a neat way, in due course….

my co-contributor at Tek-Tips: feherke suggests the best of all worlds.  deploy an image based CAPTCHA scheme and then sniff js.  If js is turned on, then dynamically remove the image CAPTCHA and replace with the AJAX alternative i suggest above.  This covers all scenarios other than an OCR enhanced robot.