The idea is not about equations ie. arithmetic, the idea is about generating div content dynamically which the spambots cannot get easily unless they somehow read the contents of the div also… (which is somewhat harder without XHR).. Having said this.. it does not mean that this is not hard to read the equations at all, it is just about increasing the “cost” for the spambots!

Sun blogs are using this, and AFAIK a lots of others too. Its a very viable lightweight CAPTCHA system.

Session variables are stored on server, in memory or in the db. I don’t think one can find out the LHS of the captcha equation Abhijit is talking about.

So, If the bot is intelligent enough, it can read the dynamically populated equation but not the answer.

Thanks,
Siddharth

Very interesting idea.

How is the “session[:capsum]” variable stored?

I can tell you one thing, that I have done recently – is to scrape the dynamic parts of a DHTML web pages (using PHP and curl). Basically we read the parts of a web page (div’s) that are dynamically populated using Javascript or XHR (using innerHTML). So, it is possible to read dynamically populated DOM variables, I am sure session variables too. So, in that case it may be possible to scrape the left-hand-side of the equation, therefore calculate this equation and therefore break the captcha.

Even with this will still be a captcha, however a weak captcha. I have seen several captcha implementations, some are very strong, to an extent that a lazy human (like me) would find it objectionable to read the text and type it in the form. I have seen weak captcha, where they just have a handmade textual pattern that you need to guess.

My suggestion will be, unless you are a target of a major DOS attack, you shouldn’t spend much time on a captcha, just fabricate a few dozen images and use those. Or if the above implementation is easy enough, just use that.

I hope that helps.

Thanks,
Mukul.
http://mukulblog.blogspot.com