This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP PureCaptcha"
From OWASP
Abbas Naderi (talk | contribs) m (added documentation tab) |
Abbas Naderi (talk | contribs) (→Documentation) |
||
Line 57: | Line 57: | ||
|} | |} | ||
= Documentation = | = Documentation = | ||
+ | |||
+ | There are basically three operations needed to properly utilize CAPTCHAs: | ||
+ | |||
+ | * Generating A Captcha | ||
+ | This can be done by the '''show''' method of PureCaptcha. It will terminate the current request and return an image to the client. | ||
+ | * Persisting The Captcha Value | ||
+ | The '''show''' method also returns a string equal to the Captcha contents. You need to persist it on the session for the user (preferably for a limited amount of time). The example code shows how this can be done simply in your programming language, but any other persistence layer would be fine. | ||
+ | Keep in mind that for every Captcha used inside your application (e.g one for login page, one for password reset page, one for remove user page) you should persist the Captcha separately, so that a user can simultaneously use all your applications functionalities without one Captcha overriding the expected value for the other. | ||
+ | * Validating The Captcha | ||
+ | '''It is very important to remove the Captcha from persistence after its validated, whether its wrong or right.''' If you leave a Captcha persisting after validation, attackers can bypass your Captcha by inspecting it once and then using the same Captcha over and over to send requests to your application. See the example usages for more details. | ||
=FAQs= | =FAQs= |
Revision as of 01:53, 11 November 2014