Hi!

I built a captcha library which randomly generates a simple mathematical question that the user is required to answer correctly to submit the form. When the user loads the controller, a new captcha is generated and the answer is stored in a database table along with the session ID which is the identifier used to fetch the correct answer once the user has pressed submit.

So my question is, is the session ID a smart way to associate a user with an answer, seeing as (if I understand it correctly) the session ID is changed every five minutes or so?

Best regards,
Erik Brännström

I think you answered your own question. Why not just store the answer directly in the session? Alternatively, just store the numbers in hidden fields to avoid using the session.

use reCAPTCHA.net

its free, its awesome, its high tech… and you’re helping to digitize books!

It is interesting that the easiest solution seldom is the one that springs to mind

Just one follow up question. The captcha is plain text and can easily be answered by a fairly simple automated process, which isn’t really a problem for my part. I’m just wondering if the CI Sessions are stored in cookies and if this information is easily accessible for such bots? I’m simply wondering for possible future security reasons.

Thanks for your answer!

mdgross - 16 July 2008 01:15 PM

use reCAPTCHA.net

its free, its awesome, its high tech… and you’re helping to digitize books!

I did actually, however I found that it was a bit too high tech for my needs

The site I’m working on is in Swedish, which is not supported by default with reCaptcha and I didn’t feel up to the task of fixing that myself. This solution also loads faster and will never cause the slightest problem when I finally get around to internationalizing the site.

I think the best way to go would to be using the standard session flashdata feature to store the answer on the page with the form and accessing it on the submit page. No need to worry about DB calls or session IDs changing..