On 8/4/07, Henrik Martin <[EMAIL PROTECTED]> wrote: > Hi. I was just playing around with my installation of Roller. I was > using my wife's machine and I was trying to comment on a blog > entry. However, I didn't see the "Please answer this simple math > question" show up on the page. I use a Javascript blocking toolbar in > Firefox, and I hadn't enabled Javascript for the site that Roller was > running on. When I enabled it, the field with the math question > appeared in the page. > > I'm just curious to why Roller needs to use Javascript for this? I > guess it's to avoid generating the numbers in the HTML, which would > make it easy for bots to parse. But this could still be bypassed > by a bot if the page is processed by a library that could execute the > Javascript code. In general, I consider Javascript being a real > annoyance. Not only is it insecure, it's also very unpredictable as to > how it's implemented in various browsers. There are some sites that I > use that require Javascript to function, and I reluctantly allow it > for those sites, but I really don't see it being necessary for most > sites. > > As for the math question, I guess there's some kind of cookie > associated with it so that you can verify that the response is for a > certain challenge. Why couldn't this be done by just passing cookies in > the HTTP header like most session cookies are handled? > > I'd like to suggest using JCaptcha (jcaptcha.sourceforge.net) > instead of the math question. From a usability standpoint, I think > this is better and much more intuitive, and doesn't require > Javascript. The math question is very easy to miss, and it wasn't > obvious to me the first time I visited a Roller blog that it was > required to post a comment. Most people are used to CAPTCHA systems > when they sign up for services at Yahoo, Google, AOL, and other large > sites. I think it would be more obvious than the math question. The > only caveat that I'm aware of with JCaptcha is that it uses Java > imaging libraries that use the GraphicsContext class. This will > sometimes cause Tomcat to crash on servers that are running "headless" > unless the Java runtime environment has been told specifically that it > is running headless. This can be done by passing -Dawt.headless=true > to the JVM. Once that is done, JCaptcha works really nicely in a > headless server environment.
There are lots of areas for improvement in Roller's comment auth/validation. We need to make it more pluggable, we need to provide an option for OpenID, etc. I'd like to see a JCaptcha plugin for Roller and at one time one existed. However, we cannot distribute JCaptcha with Roller because it has an LGPL license which is incompatible with Apache policy. - Dave
