I would like to know...
It's useless to setup captcha and other antispam controls for submits from protected point inside a webapp, isn'it? I mean, if to reach a page you need to log in, this page is unreachable from bots.
Am i right?
EDIT:
Since most of th开发者_Python百科e people answered that this is not true if someone first log in manually and then teach the credentials to the bot, I'll comment to you answer here:
- If someone spent time to log in manually than he could also do the spam manually, without needing a bot. And in the case all the spam is coming from a user that only produce spam. so it will be easy to get rid of his spam.
- My apps are very small, for internal use, so is very unlikely that someone would do manual spam.
No, not useless. A bit tedious for real humans, but it's always good to periodically check that the "user" is actually still a human, and not a bot. After all, a real human may go through the login captcha check, then hand that login session over to a bot which could then merrily spam the hell out of your site. A periodic captcha check within the site would stop (or at least pause) that bot until its human could come fill in the captcha.
That's not true. Once you logged in your cookies could be stole. Have a look at firesheep for example. If your machine is infected (or a machine in your locale network), it could be used by a bot in order to use your cookies and perform authenticated operations through the active login session.
If someone spent time to log in manually than he could also do the spam manually, without needing a bot. And in the case all the spam is coming from a user that only produce spam. so it will be easy to get rid of his spam.
That's not the point, at least for what concern my answer. If your cookies have been stolen, the malicoius bot running the attack doesn't need to log in, because login already occured. The only things a bot should do in this scenario are:
- monitor a vulnerable machine until a login is performed.
- Stole the cookies from the logged machine.
- Start to spam.
Am i right?
Not necessarily - after all you could teach a bot to log in, and then do all sorts of havoc inside.
That's why sites like Stack Overflow still show a captcha even for the most trusted users on occasion.
Related Meta.SO question: https://meta.stackexchange.com/questions/3346/why-is-captcha-for-higher-rep-users-even-necessary
Well, the whole point of Captcha is to stop bots from getting into your site or posting comments, etc. in the first place.
If the bot is inside your website it would mean one of a few things:
The bot somehow gained access to a username and password
The bot managed to get through Captcha at login and also has a username and password
So no, using Captcha inside your website is not a good idea unless the user is accessing potentially secure information such as banking details, etc. But when this is a problem it would perhaps be better to make them re-enter their password rather than use Captcha.
精彩评论