Securing Forms Without Captcha

Captchas are a terrible user experience, nstead of using a captcha, let’s look at two passive things you can add to a form to reduce spam.

 

Submission Timer

In general, humans are slow.  This is one of the reasons we invented computers and started scripting bots to begin with – non-humans are quicker and more efficient at completing certain tasks than we’ll ever be.

And that can also be their disadvantage.

Add a hidden field to your form that contains the current server time (based on when the form was generated).  Then, upon submission, check the form’s timestamp against the current server time.  If the form was submitted too quickly (say, less than 3 seconds) then a human probably didn’t fill it out.

1
2
3
4
5
<form>
<input type=“hidden” value=“<?php echo time(); ?>” />
<input type=“text” name=“email” />
<input type=“submit” value=“Submit” />
</form>

Twitter, for example, uses a similar timer to secure submissions to their API.  Most API requests require a server timestamp.  Twitter requires the request timestamp be within five minutes of their server time in order to be marked as “valid.”

This approach won’t work if you use full-page caching on your system, though.  So be sure to disable the cache for your form pages.

Honeypot

A honeypot is a trap used to detect bots. It’s a form field that, usually, is invisible to real visitors but seen – and completed – by scripts, bots, and other programs trying to attack your form.

A bot is typically smart enough to fill fields labeled “email” with a valid email address so they can skip past validation routines. Like their speediness, this trait can be used to identify and reject submissions from bots.

For our purposes, we rename our regular email field and add a new email field that will be hidden later by CSS.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<style type=“text/css”>
.email-block { display: none; }
</style>
<form>
<p class=“name-block”>
<label for=“name”>Name:</label>
<input type=“text” name=“name” />
</p>
<p class=“email-block”>
<label for=“email”>Leave this blank if you’re human</label>
<input type=“text” name=“email” />
</p>
<p class=“alternate-block”>
<label for=“alternate”>Email:</label>
<input type=“text” name=“alternate” />
</p>
<input type=“submit” value=“Submit” />
</form>

When viewed in a browser, the entire email block will be hidden from the user – they can’t fill in the “email” field by mistake. Even if they’re using a text-based browser or a screen reader that ignores the display: none; declaration, we clearly label the field in such a way as it should be ignored.

Bots, however, will fill in the field. When processing the request on the server side, we can reject it wholesale if “email” is non-empty.

Further Protection

These are just two passive routes you can take to secure contact, purchase, comment, or other forms on your website. They’re almost entirely transparent to your visitors and thus won’t carry the same frustration and distasteful UX of a captcha. At the same time, they’re nearly as effective at blocking spam submissions.

For spam that does continue to make it through, you can turn to active prevention techniques like an IP block list or a service like Akismet.

An IP block list is a hand-curated list of addresses known to generate spam – requests coming from these IPs can and should be ignored. You can curate the list yourself, or turn to one of any of the publicly curated lists available online.

Akismet will scan the content, referer, and IP address of a comment or form submission and compare it against a database of known spam. Potential spam submissions are flagged as such and can either be ignored or cached (to allow manual double-checking for false-positives). The service is free for personal use, or there are reasonably priced plans for commercial sites.

Whatever route you take, there are always both passive and active alternatives to captchas. Avoiding captchas will improve your conversion rate and make the experience of using your site that much more pleasant for any visitor who comes along.

 

more info http://jumping-duck.com/tutorial/securing-forms-without-captcha/