Hi, I think it is really cool that web2py works under the hood to keep a site secure (sql injection, xss...) and that it integrates and encourages reCaptcha.
As a user, though, i find captchas, in general, and reCaptcha in particular to be annoying and invasive. For a small site that I'm building I'm working on an automated anti-bot mechanism that should work without even being noticed by the end user (in my case, people posting comments to my blog posts). It is a combination of two different method based on hidden fields. The first field is not "hidden" as in <input type="hidden">. it is a <input type="text"> made invisible via css. It has a name like "email" or "address". When the form is submitted, i check if the value is EMPTY. Being invisible to the human user, a real user would't fill it, but a bot would. The second field's value is set to current timestamp during the generation of the page. When the form is submitted i check if at least, say, 5 seconds have passed. A bot would fill and submit the form almost instantaneously, while it would take some time to the real user. I'll post more about this when it's properly done and tested, but, because a fairly amount of automatism is involved in web2py form creation / validation, it would be perhaps possible, to include such mechanism as a standard security behavior of the framework. -- You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to web...@googlegroups.com. To unsubscribe from this group, send email to web2py+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/web2py?hl=en.
