防止 YSlow 查询验证码生成器

发布于 2024-12-05 02:39:59 字数 810 浏览 2 评论 0原文

我有一个非常简单的验证码，如下所示：

<?php
    session_start();
    function randomText($length) {
        $pattern = "1234567890abcdefghijklmnopqrstuvwxyz";
        for($i=0;$i<$length;$i++) {
            $key .= $pattern{rand(0,35)};
        }
        return $key;
    }
    $textCaptcha=randomText(8);
    $_SESSION['tmptxt'] = $textCaptcha;
    $captcha = imagecreatefromgif("bgcaptcha.gif");
    $colText = imagecolorallocate($captcha, 0, 0, 0);
    imagestring($captcha, 5, 16, 7, $textCaptcha, $colText);

    header("Content-type: image/gif");
    imagegif($captcha);
?>

问题是，如果用户安装了 YSlow，则图像会查询 2 次，因此，验证码会重新生成，并且永远不会与用户插入的验证码匹配。

我看到，如果我将内容类型标头作为 gif 传递，则只会第二次查询，如果我将其打印为普通 php，则不会发生这种情况。

有人对此有任何线索吗？我如何防止它或识别第二个查询是由 YSlow 发出的，以免再次生成验证码。

问候，阴影。

原文

i have a pretty simple captcha, something like this:

<?php
    session_start();
    function randomText($length) {
        $pattern = "1234567890abcdefghijklmnopqrstuvwxyz";
        for($i=0;$i<$length;$i++) {
            $key .= $pattern{rand(0,35)};
        }
        return $key;
    }
    $textCaptcha=randomText(8);
    $_SESSION['tmptxt'] = $textCaptcha;
    $captcha = imagecreatefromgif("bgcaptcha.gif");
    $colText = imagecolorallocate($captcha, 0, 0, 0);
    imagestring($captcha, 5, 16, 7, $textCaptcha, $colText);

    header("Content-type: image/gif");
    imagegif($captcha);
?>

the problem is that if the user have YSlow installed, the image is query 2 times, so, the captcha is re-generated and never match with the one inserted by the user.

i saw that is only query a second time if i pass the content-type header as gif, if i print it as a normal php, this doesn't happen.

someone have any clue about this? how i can prevent it or identify that the second query is made by YSlow, to do not generate the captcha again.

Regards,
Shadow.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

病毒体 2024-12-12 02:39:59

YSlow 在运行时确实会请求页面组件，因此听起来您的问题是用户安装了 YSlow 并且它设置为在每次页面加载时自动运行的情况。

最好的解决方案可能是调整您的验证码代码，使其不在同一会话中重新创建新值，或者确保会话变量与发送的图像匹配。

但是对于您最初关于检测 YSlow 发出的第二个查询的问题，如果您查看收到的 HTTP 标头，这是可能的。

我刚刚运行了一个测试，发现这些标头是通过 YSlow 请求发送的。用户代理设置为与浏览器匹配（在我的例子中为 Firefox），但您可以检查是否存在 X-YQL-Depth 作为信号。（YSlow 使用 YQL 来处理其所有请求。）

Array
(
    [Client-IP] => 1.2.3.4
    [X-Forwarded-For] => 1.2.3.4,  5.6.7.8
    [X-YQL-Depth] => 1
    [User-Agent] => Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
    [Accept-Encoding] => gzip
    [Host] => www.example.com
    [Connection] => keep-alive
    [Via] => HTTP/1.1 htproxy1.ops.sp1.yahoo.net[D1832930] (YahooTrafficServer/1.19.5 [uScM])
)

YSlow does request the page components when run, so it sounds like your problem is cases where the user has YSlow installed and it's set to run automatically at each page load.

The best solution may be to adjust your captcha code to not recreate new values within the same session, or if it does to make sure the session variable matches the image sent.

But to your original question about detecting the second query made by YSlow, it's possible if you look at the HTTP headers received.

I just ran a test and found these headers sent with the YSlow request. The User-Agent is set to match the browser (Firefox in my case), but you could check for the presence of X-YQL-Depth as a signal. (YSlow uses YQL for all of its requests.)

Array
(
    [Client-IP] => 1.2.3.4
    [X-Forwarded-For] => 1.2.3.4,  5.6.7.8
    [X-YQL-Depth] => 1
    [User-Agent] => Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
    [Accept-Encoding] => gzip
    [Host] => www.example.com
    [Connection] => keep-alive
    [Via] => HTTP/1.1 htproxy1.ops.sp1.yahoo.net[D1832930] (YahooTrafficServer/1.19.5 [uScM])
)

回复收藏 0 原文

~没有更多了~