Re: CAPTCHA system in webDNA
This WebDNA talk-list message is from 2005
It keeps the original formatting.
numero = 60819
interpreted = N
texte = It's my understanding that AOL uses the same IP addresses for large groupsof its members. Wouldn't this cause a problem with that type ofapplication?Justin CarrollOn 1/19/05 8:54 PM, "Kenneth Grome"
wrote:> Hi Bill,> > Your proposed method looks like a good extension of my suggestion,> especially the use of a randomly generated password. [cart] creates> a value that looks too much like a number sometimes, and this might> encourage hackers to run a brute force test on the page that's posted> in the email.> > I also use a technique similar to the one Dan got from Brian Fries to> generate virtually unique values, but I extend it even further by> making the number of characters in each generated password value a> random number between (for example) 10 and 20 characters. Then the> hacker has one additional variable to deal with if he tries a brute> force attack.> > I also like your idea to disable access to the page after X attempts> from the same ip address within a pre-determined time period, because> that would even further deter a brute force attack. After all, the> valid password is already in the URL, which means the visitor from a> specific ip address *should* get the password right on his very first> attempt -- but certainly after a handful of failures this page should> be 'turned off' for that ip address for an hour or so, and asking the> visitor to try again later.> > Sincerely,> Kenneth Grome> www.kengrome.com> > > > > > >> -----Original Message----->> From: Kenneth Grome >> Sent: Thu, 20 Jan 2005 00:12:48 +0800>> To: "WebDNA Talk" >> Subject: Re: CAPTCHA system in webDNA>> >> You're trying to prevent automatic email deletion from an opt-in mailing>> list?>> >> I wouldn't mess with the system you're suggesting at all. Instead>> when the visitor enters his (or someone else's) email address into>> the email field in your unsubscribe form, I would enter a unique>> value into the 'unsubscribe' field of his database record:>> >> [replace db=subscribers.db&eqemaildatarq=[email]]unsubscribe=[cart][/replace]>> >> .. and then in the same template I would send the visitor an email>> message with a URL that has that same unique value in it, like this:>> >> >> ************************************>> "Someone entered your email address into the>> UNSUBSCRIBE page on our web site. If that person>> was you, and if you really want to unsubscribe, just>> click this link and we will unsubscribe you immediately:">> >> http://domain.com/page.html?out=[cart]>> >> "But if you do NOT want to unsubscribe from our list,>> please just ignore this message, thanks.">> ************************************>> >> >> The person who receives this email message may (or may not ) click>> that link. If he clicks the link, your webdna code simply deletes>> the only record in the subscribers database that has that unique>> 'out' value in the unsubscribe field:>> >> [delete db=subscribers.db&equnsubscribedatarq=[out]]>> >> Simple and efficient, and no images or other non-webdna tricks required.>> >> :)>> >> Sincerely,>> Kenneth Grome>> www.kengrome.com-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Associated Messages, from the most recent to the oldest:
It's my understanding that AOL uses the same IP addresses for large groupsof its members. Wouldn't this cause a problem with that type ofapplication?Justin CarrollOn 1/19/05 8:54 PM, "Kenneth Grome" wrote:> Hi Bill,> > Your proposed method looks like a good extension of my suggestion,> especially the use of a randomly generated password. [cart] creates> a value that looks too much like a number sometimes, and this might> encourage hackers to run a brute force test on the page that's posted> in the email.> > I also use a technique similar to the one Dan got from Brian Fries to> generate virtually unique values, but I extend it even further by> making the number of characters in each generated password value a> random number between (for example) 10 and 20 characters. Then the> hacker has one additional variable to deal with if he tries a brute> force attack.> > I also like your idea to disable access to the page after X attempts> from the same ip address within a pre-determined time period, because> that would even further deter a brute force attack. After all, the> valid password is already in the URL, which means the visitor from a> specific ip address *should* get the password right on his very first> attempt -- but certainly after a handful of failures this page should> be 'turned off' for that ip address for an hour or so, and asking the> visitor to try again later.> > Sincerely,> Kenneth Grome> www.kengrome.com> > > > > > >> -----Original Message----->> From: Kenneth Grome >> Sent: Thu, 20 Jan 2005 00:12:48 +0800>> To: "WebDNA Talk" >> Subject: Re: CAPTCHA system in webDNA>> >> You're trying to prevent automatic email deletion from an opt-in mailing>> list?>> >> I wouldn't mess with the system you're suggesting at all. Instead>> when the visitor enters his (or someone else's) email address into>> the email field in your unsubscribe form, I would enter a unique>> value into the 'unsubscribe' field of his database record:>> >> [replace db=subscribers.db&eqemaildatarq=[email]]unsubscribe=[cart][/replace]>> >> .. and then in the same template I would send the visitor an email>> message with a URL that has that same unique value in it, like this:>> >> >> ************************************>> "Someone entered your email address into the>> UNSUBSCRIBE page on our web site. If that person>> was you, and if you really want to unsubscribe, just>> click this link and we will unsubscribe you immediately:">> >> http://domain.com/page.html?out=[cart]>> >> "But if you do NOT want to unsubscribe from our list,>> please just ignore this message, thanks.">> ************************************>> >> >> The person who receives this email message may (or may not ) click>> that link. If he clicks the link, your webdna code simply deletes>> the only record in the subscribers database that has that unique>> 'out' value in the unsubscribe field:>> >> [delete db=subscribers.db&equnsubscribedatarq=[out]]>> >> Simple and efficient, and no images or other non-webdna tricks required.>> >> :)>> >> Sincerely,>> Kenneth Grome>> www.kengrome.com-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/
Justin Carroll
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
WebCat2 Append problem (B14Macacgi) (1997)
[WebDNA] An alternative to hosting... (2009)
[WebDNA] Count Lines (2011)
NTbeta18 corrupted? (1997)
Showif, Hideif reverse logic ? (1997)
Protect vs Authenicate (1997)
Sort Order on a page search (1997)
Multiple Merchant Accounts? (1997)
OK, here goes... (1997)
Loops N Variables (1998)
redirect with frames (1997)
Call For Entry: Third Annual Business on The Internet (BOTI)Awards (1999)
[WebDNA] RevTalk: Possible WebDNA competitor? (2010)
[WebDNA] copy some database fields into a new database (2016)
[WebDNA] An alternative to hosting... (2009)
WTB WEBDNA Version 4.5 for OS X (2003)
WC2.0 Memory Requirements (1997)
Back to Authnet with storebuilder (2003)
Keep away (1997)
Error Lob.db records error message not name (1997)