Captcha

Just the other day, DoctorDemon offered an interesting, in my opinion, version of captcha . In the comments to the post, the opinions of Habrayuzer were different and the main drawback was the simplicity of selection for bots. I became interested and thought - why not to implement?


In the process of thinking, I came to a volitional decision that the “labyrinth” would be generated randomly each time, in order to complicate the lives of annoying bots.
')


The attentive reader will notice that I have abandoned other symbols and slightly simplified the structure of the labyrinth, leaving only the movement to a whole cell - this simplifies the generation and subsequent navigation through the labyrinth. For greater beauty, the paths do not overlap. Those. we can imagine any labyrinth in the form of a tree, the top of which is the starting point, and the children of each vertex are points after following the branches “left”, “right”, “up” and “down”.

Of course, all this has simplified the task of bots - but it seems to me that the labyrinth, because of this, looks friendlier. Time to generate the maze is reduced and the process of passing the maze for a normal visitor is facilitated.
You can try it in action here: http://star.nn.ru/
We now turn to the principle of work.

So that the task of bots differed from finding the answer to the question “enter 2 + 2” I had to go to the trick. After generating the maze, it is stored in the database along with the session ID. While the enthusiastic user moves to point “A” all his movements are entered into the hidden form field by javascript. After passing, submit appears, clicking on which, the name of the commentator, the text and the path made are sent to the server. Already on the server side, the labyrinth is loaded from the database and the diligent script repeats the actions of the user, making sure that we do not stray from the road, but in the end we are in point “A”. If everything turned out well - captcha passed and a comment is added. Otherwise, it is obvious that we have a detractor in front of us and we can safely block it, for example, by IP address (well, I did not do that).

However, the task of selection does not become intractable, and even more so the army of trained captcha-walkers will bypass any protection. This is the first minus.

The second minus is the server load. First, the task of generating a maze itself requires resources. In addition, we need at least 2 calls to the database - when we save the maze, and when we load. In general, it would be desirable to erase it later. Well, here you can, of course, carry the maze from the server to the client and back. It is possible to completely accumulate several hundred different labyrinths and randomly emit them from the database without generation.

And in the appendage - problems with "mobile" visitors and a large amount of additional data.

PS This is just a strap, not without flaws, made during breaks over cups of coffee.