hiberya

Using php’s session does not need cookies

True – the session ID can be propagated in the URL. However, that could affect several of the other bot-checking techniques. It could also be posted in the form data, but that’s not much different to using an encrypted time value.

You certainly can do that, but users must have cookies enabled for it to work.

Using php’s session does not need cookies, it stores the data in both cookies and as a session file on the server (for backup). I agree that the key should be checked.

Great post

why save the server time at form generation in a hidden field, and not i a session

You certainly can do that, but users must have cookies enabled for it to work. Also, the postback ensures the key was generated in the original form.

8. Time the user response

I really like this one. But why save the server time at form generation in a hidden field, and not i a session?

Joakim

Two things that I’m going to work on implementing this weekend are detecting Javascript and checking the time between the Page_Load and the POST.

Aksimet isn’t my cup-of-tea, at least as it concerns blog comments. Since it’s not flawless it has a holding queue, and that must be checked. I prefer something more passive that does its job without oversight. Bear in mind, please, that I haven’t used Akismet for anything other than comment moderation on a blog so I may be missing something. For spam control on my blog I have Akismet, Bad Behavior, and Mike Jolley’s WP Comment Spam Stopper (http://blue-anvil.com/archives/wordpress-comment-spam-stopper-plugin). I listed those fro least favorite/effective to most favorite/effective – based solely on my personal experiences.

Cheers.
Mike

So a blind user will come to a field where the label says “please leave this field blank” and fill it in … with what? And why?

I don’t think they will fill that in, and that would be a fair use. But that assumes that developers use that kind of text. It is important that developers thoughtfully implement that kind of input. If they use display:none; and a question like “What’s your age?” that would trip a bot, and folks using screen readers.
Craig Buckler said:

Besides that, a honeypot field cannot be any worse than a CAPTCHA for visually-impaired users!

I think many new CAPTCHA and CAPTCHA-like devices use an audio version that allows blind users to step around it. So, honestly, (re-)CAPTCHAs are relatively accessible, shopping around can help.
I am still a fan of using akismet (or other back-end validation), though, and I think most users (e.g. blind commenters in this case) who deal with these problems will appreciate your use of such technologies, or at least be less frustrated by it, since it is transparent to them. And while I haven’t gotten that many commenters on my blogs, I approve all comments from new users, and have had a good experience with akismet’s accuracy: where spam constitutes about 90% of the comments I receive.

Besides that, a honeypot field cannot be any worse than a CAPTCHA for visually-impaired users!

Honeypots are great, I use and recommend them myself. They should be offset (off-screen to the left), though, and not hidden with display:none. This will ensure the label (warning not to fill in the input) will be available to screen reader users so they don’t get caught in the trap.

If the input field is included in the display:none;, surely any screen reader setup that noticed the field would also read the label? Or am I being naively optimistic about screen readers…?