Hello,

I'm developing a browser based game in my free time. An annoyance I find in some other browser based games across the net is having to enter in a CAPTCHA on every page. The purpose of the CAPTCHA in most browser games is to prevent automated programs from reading and then submitting to the server. Basically cheat by letting a program play for you. This is my scenario:

There would be a login page where you enter a Username, Password, and a CAPTCHA that you have to pass. Upon successfully passing the login CAPTCHA, there would be a cookie set with an encrypted version of the Username. The only way you can see a game related page is if this cookie is set, with a valid encrypted Username. Would having this one login CAPTCHA eliminate the need for one on every page, or is there still a way to cheat the system?

    If a human logs in he'll then have access to the cookie. He can then plug that cookie value into an automated program (even if he doesn't know what it says). So no, that doesn't really remove the necessity of a captcha on every page.

      Just seems like there should be away around having one on every page... as it REALLY distracts from play.

      I haven't messed much with session stuff in PHP... is session data any more secure than cookie data?

        Session data is more secure against user tampering with the values. But it won't help you determine whether the user is a human or a bot.

        Aside from captchas I don't know of any good way to tell. You could place the captchas on only every x page view, where x is a random value. Then the user wouldn't have to deal with it on every page. You could limit the number of page views over a certain amount of time, but then bots can just use a delay to slow themselves down.

          Correct me if I am wrong, but isn't session data stored on the server? Wouldn't that make it inaccessable to anything other than a program on that server? (Again, I apologize for my lack of knowledge on session stuff.)

            Yes. The user only gets a session id, usually in a cookie, which allows the server to map them to the stored session data. So the user can't view or modify the data you're storing for them.

              If a human logs in he'll then have access to the cookie. He can then plug that cookie value into an automated program (even if he doesn't know what it says). So no, that doesn't really remove the necessity of a captcha on every page.

              So if instead I write the encrypted Username to a session variable, wouldn't this solve things, having just one CAPTCHA on the login?

                The user could log in then grab the session id from the cookie and enter that into the program. No difference.

                  Write a Reply...