Protecting from autoclick

[UnfoX]

I have a system which there is a button in it. Users are allowed to click at say 1 hour periods. Once user clicked the button, he should wait 1 hour to be able to click again.

 

But I have a problem. Some users codes some applications which clicks on a coordinate on a page. So they set the timer and automatically click the button every hour.

 

I want to prevent that. But I don't want to use captcha. Is there any other alternative to prevent autoclicking?

 

Thank you all

[xtopolis]

Not really.  There are macro programs out there that use VB scripts to locate images and click, so even moving the button around may not be sufficient.

 

All you can really do is make it inconvenient to setup a macro for clicking... such as making the button shape/size/color/text/position random per page load, as well as making sure that clicks only come from your website. (So they don't make their own form that mimics yours, negating your "clickproofing".

 

Perhaps if you could make it a Q/A system.  Have it state the thing like: "click on the blue triangle" and have 3 images , 2 of them triangles, 1 being blue, etc.  Also be sure to change the wording around.  It really comes down to making it inconvenient to map out the possible answers, while still making it easy for a human to decipher and click.

[UnfoX]

 

All you can really do is make it inconvenient to setup a macro for clicking... such as making the button shape/size/color/text/position random per page load, as well as making sure that clicks only come from your website. (So they don't make their own form that mimics yours, negating your "clickproofing".

 

But at least, when the page is loaded, the button id will be obvious. Than the macro can go through the source code and get the button id and its position and lately click to it. At least it can try to click all the buttons in the page where there is only 2 of them. Have I missed something?

 

Your latest suggestion seems like more user-friendly. Captcha is worse way for a user to click a button. Maybe more visual protections without using keypad can be a better solution. Is there any application of this type protection like select-the-blue-triangle ?

 

Thank you

[xtopolis]

Hi, Sorry for the delay, I've been busy.

 

Nothing can be completely avoided, necessity is the mother of invention.  Eventually someone will find a way if it's valuable enough to them.

 

My recommendations are:

+randomize the name of the field, store it in the session so that it's harder to scrape (source code)

+use flash instead for it

+have dummy buttons that change the page or do something weird

 

The "click the blue triangle" thing I've suggested is just another variation of captcha IMO.  I do not know of any examples off hand, but it reminds me a joke screenshot of a russian captcha asking the user to solve a math problem, displayed as an image.

 

Really, you're just trying to avoid the standard ways of verifying that most people are accustomed to [breaking].  Your concern is that your methods do not become more of a hindrance to legit users, while trying to deter the cheaters.

[DieterStruik]

You can always add some client check with say JavaScript that registers the mouse position with the button location to see if it's clicked by hand.

 

Otherwise load this button and it's post behaviour in a Flash movie within the page.

 

Success,

 

Dieter

[J.Daniels]

+randomize the name of the field, store it in the session so that it's harder to scrape (source code)

 

This is similar to what xtopolis said, You can create a generated token from the form page, and pass it in a hidden field to the processing page.  This will at least disable any outside form from submitting.  If the page is loaded then scraped, it's difficult to determine whether it was loaded by a human or script without some type of captcha.