Add server-side validation for drawn points

[RobThree]

How is this going to stop anything other than “human spammers” (which are close to non-existent compared to spam-bots anyways)? Any decent bot will (in time) just retrieve the “hidden” URL and use it to post it’s spam to. It doesn’t care if it has to parse the action attribute or some other field to get the URL to post the data to.

If you want this to be of any use at all, you’ll need to send the strokes themselves (or a “fingerprint” or “hash” of them) to the server and let the server decide whether the captcha is passed or not.

I'm sorry. I like your idea and out-of-the-box thinking. But it's practical use (fight automated spam) is close to zero.

[wjcrowcroft]

Apology accepted, but did you read the roadmap and the plugin homepage?

Server-side validation is a planned feature in this so-far-proof-of-concept CAPTCHA plugin, currently under active development.

I suggest you hit watch, and pop back in when it's released, and hopefully you could contribute some code to the server-side validation code, which will be forked into PHP and Node.JS variants.

Closing this issue until then, as it's not technically an 'issue' with 0.1, which is published as a proof of concept - it would be a valid issue, if this were a production-ready plugin :o)

[wjcrowcroft]

Re: your reply on my blog, actually it's a fair point - I should update the roadmap to be clearer! Doing that now. Thanks for the feedback.

[RobThree]

Well; it did state server-side validation for 1.0 to be fair, but it wasn't very clear what would be validated (or how). Either way; I'm happy we're on the same page now :-)

[wjcrowcroft]

Reopened, added to milestone 1.0 and updated the title.