Re^3: Stop Form Hurling

Yeah, I know about that. I took one more step to circumvent this security flaw.

I randomly renamed the alphanumeric images and I keep a list of correspondences between these random names and the actual values of the letters somewhere on my site. So, actually, what a robot would see in the image URLs is various names of Greek cities (e.g. "athens", "thessaloniki", etc. -- hey! I'm Greek after all ;-).

Then, the cgi script reverses the process and checks the password. I suppose bots are not that clever to figure out what's going on.

Comment on Re^3: Stop Form Hurling

Replies are listed 'Best First'.
Re^4: Stop Form Hurling by simonm (Vicar) on Nov 06, 2004 at 06:30 UTC
But if you're passing the value to check against as a query parameter, what's to stop a malicious user from manually finding one match, and then re-submitting those parameters to your site in thousands of future requests?	[reply]
Re^5: Stop Form Hurling by emav (Pilgrim) on Nov 06, 2004 at 07:18 UTC
This depends on the level of security you require. Of course, one could use a temp file which is written, read, and deleted on the fly (as we pass from one cgi script to the other) to transfer the info.	[reply]
Re^6: Stop Form Hurling by simonm (Vicar) on Nov 06, 2004 at 17:17 UTC
This depends on the level of security you require. No; passing a random string in a hidden form field to match against the user input does not provide any level of security. What's the scenario you imagine this is going to protect you against?	[reply]
Re^7: Stop Form Hurling by emav (Pilgrim) on Nov 06, 2004 at 22:06 UTC
Re^8: Stop Form Hurling by simonm (Vicar) on Nov 07, 2004 at 21:43 UTC
Some notes below your chosen depth have not been shown here