No, it changes based on a timestamp that updates every 24 hours. Changing it too frequently would simply cause it to end up changing between the time someone fills out a form and the time they submit it, leading to rejections that shouldn't be rejected.
it won't do much against someone with a little scripting knowlage targeting the forms.
Why do you say that? They'd have to manually go to the site and figure out what the code for the day is, and manually going to a site defeats the whole purpose/method of what they do
That can be made to change every hour by changing $settings->lastdaily to $settings->lastrotation (which is an hourly updating timestamp). I suppose if you're only using this on registration, not for comment posts and link submissions and the like, the odds of it inconveniencing anyone are low (and anyhow all they have to do is retype the image content if it changes while they're registering).
As far as I can see, making it truly random would either involve submitting the value as a hidden field in the form (which obviously defeats the purpose as the bot could extract it from there) or maintaining an extensive list, possibly a whole database table, of the various forms in progress and their identifying features and security image values.
Some code to simply deny attempts at registering more than x users per minute, or perhaps just ones where the registration data is similar in some key way, might be more effective.
0/5
1
2
3
4
5
This thread is closed, so you cannot post a reply.
Comments on Security Image Change
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
No, it changes based on a timestamp that updates every 24 hours. Changing it too frequently would simply cause it to end up changing between the time someone fills out a form and the time they submit it, leading to rejections that shouldn't be rejected.
it won't do much against someone with a little scripting knowlage targeting the forms.
Why do you say that? They'd have to manually go to the site and figure out what the code for the day is, and manually going to a site defeats the whole purpose/method of what they do
developer
Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California
Total Topics: 61
Total Comments: 7868
Well, it's all handled by one line in commonfuncs.php:
return strtolower(substr(md5($settings->lastdaily), 0, 4));
That can be made to change every hour by changing $settings->lastdaily to $settings->lastrotation (which is an hourly updating timestamp). I suppose if you're only using this on registration, not for comment posts and link submissions and the like, the odds of it inconveniencing anyone are low (and anyhow all they have to do is retype the image content if it changes while they're registering).
As far as I can see, making it truly random would either involve submitting the value as a hidden field in the form (which obviously defeats the purpose as the bot could extract it from there) or maintaining an extensive list, possibly a whole database table, of the various forms in progress and their identifying features and security image values.
Some code to simply deny attempts at registering more than x users per minute, or perhaps just ones where the registration data is similar in some key way, might be more effective.