Re: CAPTCHA system in webDNA

This WebDNA talk-list message is from

2005


It keeps the original formatting.
numero = 60819
interpreted = N
texte = It's my understanding that AOL uses the same IP addresses for large groups of its members. Wouldn't this cause a problem with that type of application? Justin Carroll On 1/19/05 8:54 PM, "Kenneth Grome" wrote: > Hi Bill, > > Your proposed method looks like a good extension of my suggestion, > especially the use of a randomly generated password. [cart] creates > a value that looks too much like a number sometimes, and this might > encourage hackers to run a brute force test on the page that's posted > in the email. > > I also use a technique similar to the one Dan got from Brian Fries to > generate virtually unique values, but I extend it even further by > making the number of characters in each generated password value a > random number between (for example) 10 and 20 characters. Then the > hacker has one additional variable to deal with if he tries a brute > force attack. > > I also like your idea to disable access to the page after X attempts > from the same ip address within a pre-determined time period, because > that would even further deter a brute force attack. After all, the > valid password is already in the URL, which means the visitor from a > specific ip address *should* get the password right on his very first > attempt -- but certainly after a handful of failures this page should > be 'turned off' for that ip address for an hour or so, and asking the > visitor to try again later. > > Sincerely, > Kenneth Grome > www.kengrome.com > > > > > > >> -----Original Message----- >> From: Kenneth Grome >> Sent: Thu, 20 Jan 2005 00:12:48 +0800 >> To: "WebDNA Talk" >> Subject: Re: CAPTCHA system in webDNA >> >> You're trying to prevent automatic email deletion from an opt-in mailing >> list? >> >> I wouldn't mess with the system you're suggesting at all. Instead >> when the visitor enters his (or someone else's) email address into >> the email field in your unsubscribe form, I would enter a unique >> value into the 'unsubscribe' field of his database record: >> >> [replace db=subscribers.db&eqemaildatarq=[email]]unsubscribe=[cart][/replace] >> >> .. and then in the same template I would send the visitor an email >> message with a URL that has that same unique value in it, like this: >> >> >> ************************************ >> "Someone entered your email address into the >> UNSUBSCRIBE page on our web site. If that person >> was you, and if you really want to unsubscribe, just >> click this link and we will unsubscribe you immediately:" >> >> http://domain.com/page.html?out=[cart] >> >> "But if you do NOT want to unsubscribe from our list, >> please just ignore this message, thanks." >> ************************************ >> >> >> The person who receives this email message may (or may not ) click >> that link. If he clicks the link, your webdna code simply deletes >> the only record in the subscribers database that has that unique >> 'out' value in the unsubscribe field: >> >> [delete db=subscribers.db&equnsubscribedatarq=[out]] >> >> Simple and efficient, and no images or other non-webdna tricks required. >> >> :) >> >> Sincerely, >> Kenneth Grome >> www.kengrome.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: CAPTCHA system in webDNA ( Justin Carroll 2005)
  2. Re: CAPTCHA system in webDNA ( Kenneth Grome 2005)
  3. Re: CAPTCHA system in webDNA ( "Dan Strong" 2005)
  4. Re: CAPTCHA system in webDNA ( "Dan Strong" 2005)
  5. Re: CAPTCHA system in webDNA ( devaulw@onebox.com 2005)
  6. Re: CAPTCHA system in webDNA ( Kenneth Grome 2005)
  7. Re: CAPTCHA system in webDNA ( "Dan Strong" 2005)
  8. Re: CAPTCHA system in webDNA ( devaulw@onebox.com 2005)
  9. Re: CAPTCHA system in webDNA ( Kenneth Grome 2005)
  10. Re: CAPTCHA system in webDNA ( "Dan Strong" 2005)
  11. Re: CAPTCHA system in webDNA ( Justin Carroll 2005)
  12. Re: CAPTCHA system in webDNA ( Clint Davis 2005)
  13. Re: CAPTCHA system in webDNA ( Kenneth Grome 2005)
  14. Re: CAPTCHA system in webDNA ( "Dan Strong" 2005)
  15. Re: CAPTCHA system in webDNA ( Justin Carroll 2005)
  16. CAPTCHA system in webDNA ( devaulw@onebox.com 2005)
It's my understanding that AOL uses the same IP addresses for large groups of its members. Wouldn't this cause a problem with that type of application? Justin Carroll On 1/19/05 8:54 PM, "Kenneth Grome" wrote: > Hi Bill, > > Your proposed method looks like a good extension of my suggestion, > especially the use of a randomly generated password. [cart] creates > a value that looks too much like a number sometimes, and this might > encourage hackers to run a brute force test on the page that's posted > in the email. > > I also use a technique similar to the one Dan got from Brian Fries to > generate virtually unique values, but I extend it even further by > making the number of characters in each generated password value a > random number between (for example) 10 and 20 characters. Then the > hacker has one additional variable to deal with if he tries a brute > force attack. > > I also like your idea to disable access to the page after X attempts > from the same ip address within a pre-determined time period, because > that would even further deter a brute force attack. After all, the > valid password is already in the URL, which means the visitor from a > specific ip address *should* get the password right on his very first > attempt -- but certainly after a handful of failures this page should > be 'turned off' for that ip address for an hour or so, and asking the > visitor to try again later. > > Sincerely, > Kenneth Grome > www.kengrome.com > > > > > > >> -----Original Message----- >> From: Kenneth Grome >> Sent: Thu, 20 Jan 2005 00:12:48 +0800 >> To: "WebDNA Talk" >> Subject: Re: CAPTCHA system in webDNA >> >> You're trying to prevent automatic email deletion from an opt-in mailing >> list? >> >> I wouldn't mess with the system you're suggesting at all. Instead >> when the visitor enters his (or someone else's) email address into >> the email field in your unsubscribe form, I would enter a unique >> value into the 'unsubscribe' field of his database record: >> >> [replace db=subscribers.db&eqemaildatarq=[email]]unsubscribe=[cart][/replace] >> >> .. and then in the same template I would send the visitor an email >> message with a URL that has that same unique value in it, like this: >> >> >> ************************************ >> "Someone entered your email address into the >> UNSUBSCRIBE page on our web site. If that person >> was you, and if you really want to unsubscribe, just >> click this link and we will unsubscribe you immediately:" >> >> http://domain.com/page.html?out=[cart] >> >> "But if you do NOT want to unsubscribe from our list, >> please just ignore this message, thanks." >> ************************************ >> >> >> The person who receives this email message may (or may not ) click >> that link. If he clicks the link, your webdna code simply deletes >> the only record in the subscribers database that has that unique >> 'out' value in the unsubscribe field: >> >> [delete db=subscribers.db&equnsubscribedatarq=[out]] >> >> Simple and efficient, and no images or other non-webdna tricks required. >> >> :) >> >> Sincerely, >> Kenneth Grome >> www.kengrome.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Justin Carroll

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

Finer than a second. (2001) Updating product information (2002) Secure Web Server (1999) Search returns all, not 20 (1997) Country & Ship-to address & other fields ? (1997) The Form authentication trick (2000) check out page (SSL) not loading on Netscape 4.0+ - fixed? (1999) Price Not Appearing (2000) [CART] inside a [LOOP] (1997) RE: Help name our technology! (1997) Hairy Shipping Monster (2006) WCf2 and nested tags (1997) showcart context? (1998) protect tag on NT IIS (1997) Need relative path explanation (1997) variables in [addlineitem] (1998) date format (another question) (2000) Typhoon Rev. and PCS store problems (1999) carriage returns in data (1997) Credit Card Number checking (1997)