> In non AJAX apps, automatic checking can be prevented using Captcha in > the registration page.
As you could do with an AJAX application, I don't understand what would prevent you to do so. What main difference do you see between a GET or POST made by the browser when submitting a plain old form and a GET or POST made using XMLHttpRequest ? What would be more secure with a plain old form ? Maybe I didn't understood what you meant (my english is not so good). I think the real security issue to care of is what your server side logic does returns in case of an Ajax context and how your ajax client side scripts handle the returned data. But with Xss exploits knowledge in mind you should be able to put away those concerns. > For example, in Yahoo, guess how they are checking? > https://edit.yahoo.com/membership/json?PartnerName=yahoo_default&RequestVersion=1&AccountID=johndoe&GivenName=&FamilyName=&ApiName=ValidateFields&1763407 Yes this is a bad method, but you're not forced to do something bad. -- Fabien Meghazi Website: http://www.amigrave.com Email: [EMAIL PROTECTED] IM: [EMAIL PROTECTED]
