SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict
    Join Date
    Sep 2011
    Posts
    267
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Securing The Sign Up Form

    Hi, i am trying to think of ways of securing or at least "trying" to put some extra security measures in place on my websites sign up form.

    I understand that captchas can be broken very easily and more importantly they could actually stop a potential user from signing up to my site.

    Points To Note:
    - i have strong JS and PHP validation in place on the sign up form
    - user's accounts stay in 'pending' status until the click the validation link that was emailed to them (changes to 'active' once the validation link is clicked)
    - a cron runs every hour and deletes all 'pending' accounts that are older than 72 hours

    I cannot really think of any other security measures that i could put in place, without really annoying the users, and i understand that spam / bots are just part of everyday life on the internet...

    However, i would like to try and detect when suspicious activity occurs on my sign up form... so i was thinking of implementing the following:

    When a user submits the form, check to see if the IP address has already created an account within the last 7 seconds... if it has, display the a captcha

    I understand that a whole college or building might be running off the same IP address, but the worst than can happen is that a few users who create an account close together will have to enter a captcha... and even for a very popular site, that percentage would be very low as it is only used for sign up and not for any other function on the site

    I am interested to hear whether anyone has any better idea (which i am sure loads will have) or what you think of my idea, thanks in advance for your help...

  2. #2
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    Sounds like you have your form security wrapped up pretty nicely. But every little extra things helps.

    One thing that has been discussed around here a lot lately is setting a 'timer' on the form. That is, the PHP checks how long the page has been open before the form is submitted. Bots will tend to submit the form very quickly, unlike real humans, so if you set the form to abort if the page wasn't open for more than, say, 7 seconds, you may trip up the bots quite a bit. This method also is very human friendly, of course, as real humans never even know it's there. It won't stop individual humans spamming you, but this is a much smaller problem than getting hit by bots.

  3. #3
    SitePoint Addict
    Join Date
    Sep 2011
    Posts
    267
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ralph.m View Post
    Sounds like you have your form security wrapped up pretty nicely. But every little extra things helps.

    One thing that has been discussed around here a lot lately is setting a 'timer' on the form. That is, the PHP checks how long the page has been open before the form is submitted. Bots will tend to submit the form very quickly, unlike real humans, so if you set the form to abort if the page wasn't open for more than, say, 7 seconds, you may trip up the bots quite a bit. This method also is very human friendly, of course, as real humans never even know it's there. It won't stop individual humans spamming you, but this is a much smaller problem than getting hit by bots.
    Cool, thanks for your reply... can you provide some information on how i could implement the timer function on the form / page, thanks again for your help

  4. #4
    It's all Geek to me silver trophybronze trophy
    ralph.m's Avatar
    Join Date
    Mar 2009
    Location
    Melbourne, AU
    Posts
    24,331
    Mentioned
    463 Post(s)
    Tagged
    8 Thread(s)
    Quote Originally Posted by oo7ml View Post
    can you provide some information on how i could implement the timer function on the form / page
    Because I couldn't find any info on this a while back, I tried it myself and wrote it up here:

    http://pageaffairs.com/notebook/contact-form-honeypots

    It can probably be improved a lot, but that's my attempt at it, anyhow.

  5. #5
    SitePoint Addict
    Join Date
    Sep 2011
    Posts
    267
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Excellent, thanks i will have a read of this...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •