Thoughts about captcha stuff

[Mark Lundquist <ml...@comcast.net>]

Hi,

I added captcha validation to one of my projects this morning, using 
the CForms <captcha> widget and the CaptchaReader from the Cocoon 
captcha block.  It was pretty much a snap :-).

I have some feedback, let's talk about it and I'll file JIRA issues for 
anything still left standing when we're done :-)


1) Control over display of the captcha image

The CForms <captcha> widget treats the captcha image as part of the 
image; the widget takes care of generating the <img> element.  I think 
I would like to be able to do this myself.  I should be able to control 
the positioning of the captcha image within the page layout, give it a 
CSS id or class (maybe I want a CSS rule to control border properties , 
etc.) and so on.  Maybe I don't want it to always be just right between 
the widget label and the input field :-)


2) Control of URI of the captcha image

The <captcha> widget generates an <img> element w/ a page-relative URI 
in the src attribute, like "captcha-38459.jpg".  I think it should be a 
little more flexible; as it is, I have to play games in the sitemap 
with precedence of matchers to make sure the right pipeline gets 
invoked.


3) Configurability of character set

Certain groups of characters can be very hard to disambiguate in the 
presence of captcha-esque distortions :-), e.g. "O/o/0", "1/l", 
"S/s/5", "X/x", "C/c", "i/j", etc.  This can be font-dependent as well, 
to a degree.  So, it would be nice to be able to configure the 
character set used to generate captcha strings.


4) Architecture / ability to integrate different image generators

It seems there are 3 components to a captcha system: a random string 
generator, an image generator, and a checker.  The image generator and 
checker both are consumers for the string produced by the string 
generator, and it appears that various captcha systems have different 
ways of packaging these components.  In Cocoon, the string generator is 
integrated with the checker.  As far as the image generator goes, you 
can use anything, as long as you have some way of getting the text from 
our session key into the image generator.

SimpleCaptcha [1] looks like a nice captcha image generator, and I'd 
like to try integrating it with a CForms application.  But 
SimpleCaptcha assumes a different architecture, in which the string 
generator and the image generator are packaged together, and it's the 
checker's job to obtain the check string from this component.  To allow 
the use of CForms captcha validation with any image generator, it 
should be configurable whether it's to function as the string producer 
(i.e., use native string generator) or consumer (i.e., use 
method/source/whatever provided to obtain the check string from 
elsewhere) of the check string.  I can think of a couple of ways this 
could go together... any ideas?


5) Use CaptchaReader instead of SVG captcha generation in CForms 
captcha sample

The image generator from the captcha block makes better captchas IMHO 
than the SVG-based example in the CForms samples; and, if we want a 
sample that's closer to what most users are likely to do, why drag in 
the rather heavyweight dependency tree of SVG for this?  So I would 
suggest switching the CForms captcha sample to use the CaptchaReader 
instead.

WDYAT?

cheers,
—ml—

[1] http://simplecaptcha.sourceforge.net/

Re: Thoughts about captcha stuff

[Mark Lundquist <ml...@wrinkledog.com>]

ugh... brain not fully warmed up...

On Nov 9, 2006, at 2:13 PM, Mark Lundquist wrote:

> [...] The CForms <captcha> widget treats the captcha image as part of 
> the image;

I meant to say, "as part of the widget".


> [...] if we want a sample that's closer to what most users are likely 
> to do, why drag in the rather heavyweight dependency tree of SVG for 
> this?

I meant to say, "of Batik for this".

—ml—