Show After 3 Failed Attempts

Hi, i have noticed that Twitter and Facebook both have a good system in place on some of their forms.

For example, if a user fails to enter their correct details in to the Sign In Form 3-4 times, a reCaptcha shows.

I also noticed that the reCaptcha shows on the Sign Up Form after it detects suspicious activity…

Can anyone think how they might have implemented this system, as i really don’t want to display a reCaptcha form my default… i would rather only display it if there was suspicious activity.

(please do not respond saying that captchas are a waste of time etc… i am simply only interested in finding out how Twitter and Facebook are implementing captchas when they detect something suspicious :slight_smile:

Thanks in advance for your help…

I’d guess they are probably doing something equivalent to storing the attempt in a PHP Session variable.

1st result from this query gets me a discussion on that: [google]3 strikes and you are out PHP session[/google].

Thanks, don’t see much on google on this :frowning:

Try this direct link then, I don’t like linking directly out to other forums, but cannot find a good match on SP.

Cool, thanks, that is fine for signing in… how would you handle the sign up, thanks again for your help…

I was thing of doing the following:

When validating the sign-up form, check to see if an account has been created from the same ip address within the last minute (or less)… if it has, fail the validation and display a captcha

Yeah, that’s not an easy question to answer. I don’t think it has one “golden solution”. It really depends on what you consider suspicious.

Multiple accounts from the same IP, free email providers, registration from common “spam countries”, throwaway email addresses, etc. Just figure out what you consider to be “suspicious” and go from there.