如何使用 jQuery UI Slider 构建安全的验证码?
我想通过使用滑块来为我的注册构建一个奇特且易于使用的验证码,用户可以在该滑块上证明他是人类而不是脚本。
到目前为止,我使用 jQuery UI Slider 实现了滑块,如果值为 100,则会出现提交按钮。看起来不错,我对这种行为感到满意。
但由于 JS 是由客户端执行的,每个人都可以看到我的代码,并且可以通过使用脚本触发相同的操作。对于脚本来说,按钮是否可用没有区别。脚本仅发布数据来提交表单,而我的滑块验证码毫无用处。
我的简单 JS 代码:
$(function() {
$( "#slider" ).slider({
value:0,
min: 0,
max: 100,
step: 50,
slide: function( event, ui ) {
if(ui.value == 100){
$( "#amount" ).val( "human" );
$("#regButton").slideDown();
} else if (ui.value == 50) {
$( "#amount" ).val( "nerd" );
$("#regButton").slideUp();
} else {
$( "#amount" ).val( "script" );
$("#regButton").slideUp();
}
}
});
$("#regButton").hide();
$( "#amount" ).val( "Script" );
});
HTML:
<label for="amount" style="text-align:right;">I'm a:</label>
<input type="text" id="amount" style="border:0; color:#f6931f; font-weight:bold; width: 197px;" />
<div id="slider"></div>
是否有可能构建验证码保护程序?使用服务器端哈希?设置标志?有哪些实践可以通过精美的 UI 和比输入字母更多的用户体验来实现安全性。
我在服务器端使用 Java EE 和 Spring MVC。使用滑块而不是 reCaptcha 会很好,例如。
编辑:我向滑块逻辑添加了一个哈希值。首先,服务器渲染一个隐藏字段,其中包含注册开始的日期,服务器根据该日期构建 md5 哈希值。当滑块移动时,会调用一个函数来读取隐藏字段的值并构建 md5 哈希值。哈希值将发送到服务器,并在提交注册之前与服务器的哈希值进行比较。不像文本验证码那样保存,但比什么都不做更有效。
我发现了这个:https://code.google.com/p/slidelock/
你的事?这家伙如何建造一个“安全”的滑块?他如何管理服务器端验证和 SALT?脚本编写者破解它是否安全或者成本更高?
I'd like to build a fancy and easy to use captcha for my registration by using a slider on which the user can proof he is a human and no script.
So far I implemented the slider with jQuery UI Slider, if the value is 100 the submit-button will be appear. Looks good and I'm satified with the behaviour.
BUT since JS is executed by the client everyone is able to see my code and can trigger the same actions by using a script. For scripts there is no difference if the button is available or not. Scripts only post data to submit forms and my slider-captcha is useless.
My simple JS-code:
$(function() {
$( "#slider" ).slider({
value:0,
min: 0,
max: 100,
step: 50,
slide: function( event, ui ) {
if(ui.value == 100){
$( "#amount" ).val( "human" );
$("#regButton").slideDown();
} else if (ui.value == 50) {
$( "#amount" ).val( "nerd" );
$("#regButton").slideUp();
} else {
$( "#amount" ).val( "script" );
$("#regButton").slideUp();
}
}
});
$("#regButton").hide();
$( "#amount" ).val( "Script" );
});
HTML:
<label for="amount" style="text-align:right;">I'm a:</label>
<input type="text" id="amount" style="border:0; color:#f6931f; font-weight:bold; width: 197px;" />
<div id="slider"></div>
Are there possibilities to build the captcha saver? Using serverside hashes? Setting flags? what are practises to archive security with a fancy UI and a little more user experince than entering letters.
I'm using Java EE with Spring MVC on the serverside. Whould be nice to use a slider instead of reCaptcha eg.
EDIT: I added a hash value to the slider logic. At the begin the server rendering a hidden-field with the date on which the registration started, the server build a md5-hash based on this date. Was the slider moved a function is called which reads the value of the hiddenfield and build an md5-hash, too. The hashvalue will be send to the server and before submitting the registration compared against the servervalue of the hash. Not as save as text-captchas but even more effective than doing nothing at all.
I found this: https://code.google.com/p/slidelock/
What do you thing? How do this guy build a "safe" slider? How he manage the serverside validation and the SALT? Is it safe or also only more expensive for scripter to crack it?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
为什么不使用现有的验证码组件而不是编写自己的验证码组件?
那里有很多这样的人。我推荐 http://www.google.com/recaptcha,它是免费的,有助于图书数字化。
Why don't you use an existing captcha component instead of writing own?
There are plenty of them out there. I would recommend http://www.google.com/recaptcha, which is free and helps with books digitalization.
仓促下结论并发布了我不应该发布的内容,抱歉。
我完全理解您想要定制它的愿望,尤其是当它很容易做到的时候。但我不认为使用滑块验证码有任何本质上的错误,只要它不是保护表单/应用程序的唯一方法。我认为它可以很容易地增强为具有唯一标识符,并且我认为它在易用性方面要优越得多。在测试和研究更多之后,我计划在未来的应用程序中使用它。
Jumped to conclusions and posted what I shouldn't, sorry.
I completely understand your desire to have it custom built, especially when it is so easy to do. But I don't see anything inherently wrong with using a slider captcha so long as it is not the only means of securing a form/application. I think it can easily be augmented to have unique identifiers, and I think it's far superior in ease of use. I plan to use it in my future applications after I test it and research more.