[nycphp-talk] NEW PHundamentals Question
Chris Shiflett
shiflett at php.net
Tue Feb 10 11:03:50 EST 2004
--- Dan Cech <dcech at phpwerx.net> wrote:
> Chris mentioned that it is inconvenient for users, I understand that
> IP address checking would be wildly inconvenient for dialup users, etc
> on a long term basis, but can't think of anyone whose IP address would
> regularly change during a session.
The classic example is AOL, which uses round-robin proxies to let its
users out onto the real Internet. With an AOL user, you may observe a
user's IP address changing for every single request.
I'm not a big networking expert, but I assume there are other situations
that can cause problems with this approach as well. I assume most of these
fit into one of two categories:
1. One user can have many IPs.
2. Many users can have one IP.
Because of this, and because I'm not a TCP/IP expert, I focus on HTTP and
up.
> The porn attacks on captchas is definitely inventive and no doubt very
> effective, harnessing the power of 15 year olds everywhere....I love
> it.
Yes, I thought this was genius. :-)
> Jon has a good point about not actually requiring a response to do
> damage. The mechanism to generate the captchas had better be efficient
> or you're opening yourself up for a DOS attack from anyone who can
> flood the form with GET requests...
This is definitely true if you generate them on the fly or something, but
I don't think that's the way to go. With pre-generated images, this
shouldn't really be an issue.
Also, if anyone is a captcha expert, I think this would make a great
presentation of some sort. I know Yahoo uses ez-gimpy (you can find it
from http://www.captcha.net/), and I've gotten that to work, but I
couldn't figure out how to generate images without having Gimp running
under X. I've only played with it out of curiosity, though. Anyone have
any experience they can share at a more professional level?
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security - O'Reilly
Coming mid-2004
HTTP Developer's Handbook - Sams
http://httphandbook.org/
PHP Community Site
http://phpcommunity.org/
More information about the talk
mailing list