UnfoX Posted June 30, 2009 Share Posted June 30, 2009 I have a system which there is a button in it. Users are allowed to click at say 1 hour periods. Once user clicked the button, he should wait 1 hour to be able to click again. But I have a problem. Some users codes some applications which clicks on a coordinate on a page. So they set the timer and automatically click the button every hour. I want to prevent that. But I don't want to use captcha. Is there any other alternative to prevent autoclicking? Thank you all Quote Link to comment Share on other sites More sharing options...
xtopolis Posted July 1, 2009 Share Posted July 1, 2009 Not really. There are macro programs out there that use VB scripts to locate images and click, so even moving the button around may not be sufficient. All you can really do is make it inconvenient to setup a macro for clicking... such as making the button shape/size/color/text/position random per page load, as well as making sure that clicks only come from your website. (So they don't make their own form that mimics yours, negating your "clickproofing". Perhaps if you could make it a Q/A system. Have it state the thing like: "click on the blue triangle" and have 3 images , 2 of them triangles, 1 being blue, etc. Also be sure to change the wording around. It really comes down to making it inconvenient to map out the possible answers, while still making it easy for a human to decipher and click. Quote Link to comment Share on other sites More sharing options...
UnfoX Posted July 1, 2009 Author Share Posted July 1, 2009 All you can really do is make it inconvenient to setup a macro for clicking... such as making the button shape/size/color/text/position random per page load, as well as making sure that clicks only come from your website. (So they don't make their own form that mimics yours, negating your "clickproofing". But at least, when the page is loaded, the button id will be obvious. Than the macro can go through the source code and get the button id and its position and lately click to it. At least it can try to click all the buttons in the page where there is only 2 of them. Have I missed something? Your latest suggestion seems like more user-friendly. Captcha is worse way for a user to click a button. Maybe more visual protections without using keypad can be a better solution. Is there any application of this type protection like select-the-blue-triangle ? Thank you Quote Link to comment Share on other sites More sharing options...
xtopolis Posted July 3, 2009 Share Posted July 3, 2009 Hi, Sorry for the delay, I've been busy. Nothing can be completely avoided, necessity is the mother of invention. Eventually someone will find a way if it's valuable enough to them. My recommendations are: +randomize the name of the field, store it in the session so that it's harder to scrape (source code) +use flash instead for it +have dummy buttons that change the page or do something weird The "click the blue triangle" thing I've suggested is just another variation of captcha IMO. I do not know of any examples off hand, but it reminds me a joke screenshot of a russian captcha asking the user to solve a math problem, displayed as an image. Really, you're just trying to avoid the standard ways of verifying that most people are accustomed to [breaking]. Your concern is that your methods do not become more of a hindrance to legit users, while trying to deter the cheaters. Quote Link to comment Share on other sites More sharing options...
DieterStruik Posted July 11, 2009 Share Posted July 11, 2009 You can always add some client check with say JavaScript that registers the mouse position with the button location to see if it's clicked by hand. Otherwise load this button and it's post behaviour in a Flash movie within the page. Success, Dieter Quote Link to comment Share on other sites More sharing options...
J.Daniels Posted July 14, 2009 Share Posted July 14, 2009 +randomize the name of the field, store it in the session so that it's harder to scrape (source code) This is similar to what xtopolis said, You can create a generated token from the form page, and pass it in a hidden field to the processing page. This will at least disable any outside form from submitting. If the page is loaded then scraped, it's difficult to determine whether it was loaded by a human or script without some type of captcha. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.