#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    198
    Rep Power
    4

    Securing The Sign Up Form


    Hi, i am trying to think of ways of securing or at least "trying" to put some extra security measures in place on my websites sign up form.

    I understand that captchas can be broken very easily and more importantly they could actually stop a potential user from signing up to my site.

    Points To Note:
    - i have strong JS and PHP validation in place on the sign up form
    - user's accounts stay in 'pending' status until the click the validation link that was emailed to them (changes to 'active' once the validation link is clicked)
    - a cron runs every hour and deletes all 'pending' accounts that are older than 72 hours

    I cannot really think of any other security measures that i could put in place, without really annoying the users, and i understand that spam / bots are just part of everyday life on the internet...

    However, i would like to try and detect when suspicious activity occurs on my sign up form... so i was thinking of implementing the following:

    When a user submits the form, check to see if the IP address has already created an account within the last 7 seconds... if it has, display the a captcha

    I understand that a whole college or building might be running off the same IP address, but the worst than can happen is that a few users who create an account close together will have to enter a captcha... and even for a very popular site, that percentage would be very low as it is only used for sign up and not for any other function on the site

    I am interested to hear whether anyone has any better idea (which i am sure loads will have) or what you think of my idea, thanks in advance for your help...
  2. #2
  3. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,316
    Rep Power
    7170
    Do you actually have a problem with lots of fake accounts being created by the same IP in a period of less than 7 seconds?
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2004
    Posts
    38
    Rep Power
    11
    I agree, if you don't have this problem don't fix it.

    One forum addon I added that helped save a lot of spambot sign up was just a simple one that blocked all attempted logins from anyone who took less than a certain amount of seconds to fill out the registration form.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    198
    Rep Power
    4
    Hi thanks for the replies, no i don't have that problem yet as my site is not launched... i just want to have measures in place in case it does happen...

    Can you elaborate on how i could implement the time on the sign up form so that it throws an error if it is completed quicker than 5 seconds
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2003
    Posts
    3,542
    Rep Power
    595
    If your objective is to prevent Denial of Service (DoS) attacks that won't work no matter what you do. Throwing an error for login attempts that are coming too fast also uses resources so the attack still accomplishes its goal. DoS attacks are (should be) stopped at the firewall.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.

IMN logo majestic logo threadwatch logo seochat tools logo