CAPTCHA for PERL Limitations

Program Limitations

This base program uses the users ip as the reference to determine which image has been accessed. In most cases that should be fine.

However, if you have users on networks sharing one ip, you could have some issues if multiple users need to access your forms at the same time. It is unlikely, because the CAPTCHA is not generally used in high traffic areas. But we can offer some options.

Rather than using the ip as the reference, you could set a cookie with a random sequence using the captcha.cgi and retrive the cookie using the check-captcha.cgi. Just replace the $ENV{'REMOTE_ADDR'} as the file name with the cookie value.

The current version sets a cookie with the users ip to compensate for AOL proxy servers that are caching images for AOL browsers. The cookie could be changed to any number which would not be dependant on the ip of the user.

The program will only work on AOL if cookies in enabled, or if you get lucky and the user gets the same ip 2 times in a row.

I did not write the program that way, because cookies do not work on every browser 100% of the time. I wanted something simple that always works regardless of the operating system or how insanly paranoid the user is to have turned off everything from cookies to java script.

The cookie was the only logical option for AOL browsers. Since they seem to have adopted a rotating ip that will make one user look like several.

If you plan on using it as a filter for open forum posting, it may be necessary to get more creative than just using the ip.

The cookie option is also a great option if you want to use one program to run all the form submissions on your entire server or network. Using one temp directory for 100 websites could get messy with shared ips.

If you are not familiar with using temp files, explore how shopping carts are used to create a basket full of items. Some do use ip, but most use cookies.

Verifier Code Limits
Since this program uses static images, you are limited to the images in your directory. Of course you could upload 1 million images but that would be insane and at that point you could use the on the fly method rather than our simple program.

With 1000 images, of 4 digits there are still over 1.6 million possible combinations that the user would need to check. Even though you are only selecting from 1000 of those 1.6 million options, the user would need to know your 1000 codes to narrow their chances of guessing from 1 in 1.6 million to 1 in 1000. Even at 1 in 1000, the program still offers great protection against bots.