Offline captcha without any file system or database storage.
Dependency: Qt (5+).
Captcha is required in many public projects to protect against spammers and similar automated unwanted activity.
As practice shows, developers are accustomed to using external services even to use fonts (!). Obviously, implementing bot protection is more complicated than storing fonts or style sheets locally, which is why most developers turn to suck-to-free corporations.
The goal of Zero Storage Captcha is to make it easy to use a locally generated captcha picture without having to store the answer. This technology allows any project to have high-quality and ethical captcha without spending VPS disk space (CPU only yep).
When generating a captcha, the user receives a picture and a token. The token is a string key to verify the correctness of the answer. It is created based on:
BASE64( MD5_HASH( CAPTCHA_ANSWER + TIME_BASED_SECRET_TOKEN + CAPTCHA_ID ) ) + "_" + BASE64( CAPTCHA_ID )
- TIME_BASED_SECRET_TOKEN - temporary marker with random string for limiting captcha life circle and unique hash value;
- CAPTCHA_ID - validation key for each captcha (size_t number);
Regular captcha token looks like this: QyhnRNJolLJxnJaSqzQVww_Aq. From part _BASE64( CAPTCHA_ID ) trailing A symbols are removed.
The user, along with the picture, must provide a verification token, which he will report to the server along with the response to the picture. This can be implemented both through javascript and when generating html pages using the templating method.
The system remembers the previous time token in order to ensure the correct perception of the captcha generated a few seconds before the time token change.
Due to this architecture, the lifetime of each captcha ranges from 1.5 to 3 minutes, after which the verification token will always show failure.
To make it impossible to use one captcha twice, the used verification captcha id gets into a special cache, where it is stored for several minutes of the life cycle of TIME_BASED_SECRET_TOKEN. The captcha token is considered used after the first validation check. Storing captcha id is very cheap: the id has a weight of 8 bytes (for a 64-bit system). For example, to store a million solved captchas at one time would need less than 8 MB of RAM. So easy!
To protect the CPU from an attack where an attacker will request a lot of captchas, you should use caching (example3.cpp). This is a compromise between using RAM and saving CPU: it will take about 36 MB to store 4096 captchas (the default cache size). A cached captcha will be reused after <=3 minutes when its token has expired and has not been answered (correctly). Captchas that get a correct answer are immediately deleted from the cache and will not be used again.
Check examples or if your project not in C++ (or without Qt framework), you can use Zero Storage Captcha as separate cross-platform local service.