> First, I want to reiterate an AJAX solution is probably best. However, > if AJAX is out of the question a secure has WILL work. Let me clarify > that... > > 1. CFC generates a CAPTCHA (EX: ABC123) > 2. CFC hashes the CAPTCHA (EX: A6B7D8991A) > 3. CF sends the HTTP response with the hash and a JShash() method. > 4. Upon submit (or whatever event desired) JSHash is called passing > user_input_CAPTCHA. > 5. JSHash returns a hash of user_input_CAPTCHA and it is compared to > the CAPTCHA hash (EX: A6B7D8991A) has sent by the CFC. > 6a. If they match, post the form to the server (user_input_CAPTCHA is > sent to the server) > 6b. If they don't match, tell the user to try again. (goto 4) > 7. CF can hash form.user_input_CAPTCHA and verify it again. > > a. The unhashed CAPTCHA is never sent to the browser. > b. The hashed CAPTCHA is never sent to the server. > c. Considerable computing power could be user to dehash the hash so > that it could be input into the form and there by breaking CAPTCHA. > But if a spammer has that much time and expertise they are going to > break your system anyway. For that matter the spammer should move to > hacking if they have such a skill set. > > It is quite a bit to go through, but if AJAX is not an option a hash > will work. > > -John > > >> A secure hash might be what the doctor ordered. CF could send > >> a hashed version of the "answer" then you could run js code > >> to hash the users input before the compare. > > > >I haven't read the whole thread, but if you send the hash to the > browser, > >anybody could just see the hash and ensure that gets sent again to > the > >server when appropriate. > > > >Dave Watts, CTO, Fig Leaf Software > >http://www.figleaf.com/ > > > >Fig Leaf Software provides the highest caliber vendor-authorized > >instruction at our training centers in Washington DC, Atlanta, > >Chicago, Baltimore, Northern Virginia, or on-site at your location. > >Visit http://training.figleaf.com/ for more information! > > > >This email has been processed by SmoothZap - www.smoothwall. net
John, I think that Ajax is the way to go (I can use it for many more things than just this one item), however, I Know nothing about Ajax (up until two days ago), but I did buy my first Ajax book two days ago (Ajax Your Visual Blueprint for creating rich Internet applications) and I am learning. I have been curious about Ajax for a while, and I now have a good excuse to jump into it. I also received my copy of JavaScript Bible 6e a few days ago and between the two books I am getting a good understanding of how Ajax works and how to implement a solution, I should have a solution to my problem soon. I will provide the solution I come up with when I implement it. Thank you for your help. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Deploy Web Applications Quickly across the enterprise with ColdFusion MX7 & Flex 2 Free Trial http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJU Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:275521 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
