March 15th, 2013, 06:51 PM
Securing The Sign Up Form
Hi, i am trying to think of ways of securing or at least "trying" to put some extra security measures in place on my websites sign up form.
I understand that captchas can be broken very easily and more importantly they could actually stop a potential user from signing up to my site.
Points To Note:
- i have strong JS and PHP validation in place on the sign up form
- user's accounts stay in 'pending' status until the click the validation link that was emailed to them (changes to 'active' once the validation link is clicked)
- a cron runs every hour and deletes all 'pending' accounts that are older than 72 hours
I cannot really think of any other security measures that i could put in place, without really annoying the users, and i understand that spam / bots are just part of everyday life on the internet...
However, i would like to try and detect when suspicious activity occurs on my sign up form... so i was thinking of implementing the following:
When a user submits the form, check to see if the IP address has already created an account within the last 7 seconds... if it has, display the a captcha
I understand that a whole college or building might be running off the same IP address, but the worst than can happen is that a few users who create an account close together will have to enter a captcha... and even for a very popular site, that percentage would be very low as it is only used for sign up and not for any other function on the site
I am interested to hear whether anyone has any better idea (which i am sure loads will have) or what you think of my idea, thanks in advance for your help...
March 15th, 2013, 07:58 PM
Do you actually have a problem with lots of fake accounts being created by the same IP in a period of less than 7 seconds?
March 15th, 2013, 09:48 PM
I agree, if you don't have this problem don't fix it.
One forum addon I added that helped save a lot of spambot sign up was just a simple one that blocked all attempted logins from anyone who took less than a certain amount of seconds to fill out the registration form.
March 17th, 2013, 03:20 PM
Hi thanks for the replies, no i don't have that problem yet as my site is not launched... i just want to have measures in place in case it does happen...
Can you elaborate on how i could implement the time on the sign up form so that it throws an error if it is completed quicker than 5 seconds
March 17th, 2013, 04:51 PM
If your objective is to prevent Denial of Service (DoS) attacks that won't work no matter what you do. Throwing an error for login attempts that are coming too fast also uses resources so the attack still accomplishes its goal. DoS attacks are (should be) stopped at the firewall.
There are 10 kinds of people in the world. Those that understand binary and those that don't.