Knablart CAPTCHA

Quickstart

• install
  • PHP with mcrypt, db4 and CLI support ('php' executable)
  • imagemagick
  • g++
  • QT3 and qmake
• run ./build-all.sh and wait forever as it generates 5000 images
• If everything went right, you should now have a captcha.db of about 7MB worth of CAPTCHA images. They should also be in pic-generator/generated/ as separate GIFs
• Edit config.inc appropriately
  • Check your installation path
  • Change the encryption key. Don't use the default key!
• Put the whole thing under some web directory and try out usage-example.php.
  • Don't forget to copy .htaccess, too! Otherwise the DB and you encryption key will be world-accessible!

How it works

• Off-line preparation:
  • Creates a large enough amount of challenge pictures (gifs) with a C++/QT3 program (QT4 probably won't work)
  • Puts them into a DBA (default: db4) file
• On-line:
  • Creates HTML and Javascript for the challenge with one PHP call (see usage-example.php).
  • Sends an encrypted version of the correct answer and a timestamp along with the form code in a "type=hidden" field.
    • This makes and HTTP session management unnecessary.
    • Points the img tag to a PHP script that decrypts the answer field and fetches the correct image data from the DBA file.
  • If Javascript is enabled, checks user's answer AJAX-style (immediately by a Javascript HTTP request) and displays "OK" or "Wrong" even before the user hits Submit. Failure results in a 2-3 second delay.
  • When checking the answer (on HTTP server side), decrypts the correct answer and fails expired (time configurable) challenges to prevent answer reuse (playback attacks).