Friday, February 12, 2010

Create secure form without captcha

Usually when we want to create a secure form that computer programs cannot pass we use the captcha program.
captcha has a lot of disadvantages, when the main disadvantages is that the captcha is heavy, bother, and make users to run away from our form.
in the idea that i'll show in this post the user cannot notice in any difference from unsecured form.
the steps for the very simple solution is

1. generate a random names to inputs in the form
2. save the names in the session collection at the server side
3. after the user submits the forn, take the inputs names fron rhe session
4. the the inputs values from the request collection with the key names from the session

take a look at this simple example at asp .net but it will work in every server side language:
---------------------------------------------------------------------------------------
the server side code

public partial class _Default : System.Web.UI.Page
{
public string UserNameKey;
public string PasswordKey;
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
Session["UserNameKey"] = UserNameKey = Guid.NewGuid().ToString();
Session["PasswordKey"] = PasswordKey = Guid.NewGuid().ToString();
}
}
protected void lnkSend_Click(object sender, EventArgs e)
{
if (Session["UserNameKey"] != null
&& Session["PasswordKey"] != null)
{
string UserNameValue = Request[Session["UserNameKey"].ToString()];
string PasswordValue = Request[Session["PasswordKey"].ToString()];
}
}
}


the html code

<html>
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
User name: <input type="text" name="<%=UserNameKey%>" />
<br />
Password: <input type="password" name="<%=PasswordKey%>" />
<br />
<asp:LinkButton ID="lnkSend" runat="server"
onclick="lnkSend_Click" >Send</asp:LinkButton>
</form>
</body>
</html>