The simpler, the better. It's needed, whatever method you choose. I
personally am not worried about attackers getting to my script. Most
of my problems come with automated form filling bots, I doubt anyone
is going to go to great lengths to solve the puzzle.
Thanks very much for your work on it!
On Feb 19, 6:39 pm, Anders Brownworth <ander...@gmail.com
> Well, I like it. Interface-wise, this would be a great experience. But if I
> showed the logic to test the selection on the page without actually
> submitting it first, an attacker could easily reverse engineer that to
> figure out what to press. (because the answer would be hidden in the
> call but then we might have to ever-so-slightly reduce our "works
> everywhere" mantra. Is it really a big deal if a bad choice were to result
> in an intermediary JustHumans-delivered page that said "Please try again"? I
> suppose I could do the Ajax idea... I'll have to think about that.
> Anyone else have an opinion (passionate or not) either way?
> On Thu, Feb 19, 2009 at 6:15 PM, EyeMagination-Brian <00davi...@gmail.com
> > Anders posted:
> > When a user tries to submit a form but picks the wrong image, redirect
> > the user to a JustHumans page that re-challanges them with a new
> > puzzle. If they still pick the wrong image, tell them their form was
> > not submitted. If they pick the correct image in either case, redirect
> > to the redirect URL as it does now. (I'm still looking for feedback on
> > this. If you want this functionality, let us know.)
> > I love this idea if it's kept simple. I see it like this: If someone
> > picks the wrong shape, "Please Pick the Correct Image" (in red, 12pt
> > Bold font would) would show below. If they pick the wrong image
> > again, it goes to the error page we created.
> > For me, having duplicate requests is our #1 issue. I say "go for it"
> > Anders.
> > Agree? Disagree? Your Thoughts?
> Anders Brownworthhttp://www.anders.com/