Advise, I would like to make a secure form on the site without using captcha. What I've done:

  1. Introduced the session variable with the generated coded value, which is placed in the form field. When getting the form, the hidden field is compared with this value. If there is a discrepancy, naturally, a corresponding message is displayed and the form does not fall under processing.
  2. Introduced another session variable, which ensures that the form could not be sent more than 1 time per hour. That is, after submitting the form when the page is updated, its html markup does not appear on the page at all for an hour.

Question: what pitfalls does my script contain and what can we expect from cheerful hackers? In particular, the possibility or impossibility of sending this form from a third-party resource is of interest.

    1 answer 1

    Make the fields contain random names, all of which are of type "text", or the like, which the bots fill out. And one or several fields make visibility: hidden. If the bot fills them, the form does not pass.

    From manual spam so much and captcha will not save.

    • one
      @lampa, how old, how many winters! I heard about hidden fields and random names. For such names will have to initiate additional session variables? And how can a bot get around my condition that the form is not accepted more often 1 time per hour? - Deus
    • @Deus, easily, session identifier is stored in cookies. Clean cookies, clean access to the page) - Alex Krass
    • @Deus proxy and different accounts. - lampa
    • @Alex Krass, I just thought about it and immediately confirmed it. Although, I just tried to send the form from another script - it did not work))) the form does not have the correct identifier in this case - Deus
    • @lampa, in more detail with the protection at the address where you can find? - Deus